Diffie-Hellman problem
Encyclopedia
The Diffie–Hellman problem (DHP) is a mathematical problem first proposed by Whitfield Diffie
and Martin Hellman
in the context of cryptography
. The motivation for this problem is that many security systems use mathematical operations that are fast to compute, but hard to reverse. For example, they enable encrypting a message, but reversing the encryption is difficult. If solving the DHP were easy, these systems would be easily broken.
Formally, g is a generator
of some group
(typically the multiplicative group
of a finite field
or an elliptic curve
group) and x and y are randomly chosen integers.
For example, in the Diffie-Hellman key exchange
, an eavesdropper observes gx and gy exchanged as part of the protocol, and the two parties both compute the shared key gxy. A fast means of solving the DHP would allow an eavesdropper to violate the privacy of the Diffie-Hellman key exchange and many of its variants, including ElGamal encryption
.
, for certain groups, it is assumed that the DHP is hard, and this is often called the Diffie–Hellman assumption. The problem has survived scrutiny for a few decades and no "easy" solution has yet been publicized.
As of 2006, the most efficient means known to solve the DHP is to solve the discrete logarithm problem (DLP), which is to find x given gx. In fact, significant progress (by den Boer, Maurer, Wolf, Boneh
and Lipton) has been made towards showing that over many groups the DHP is almost as hard as the DLP. There is no proof to date that either the DHP (or the DLP) is a hard problem, except in generic groups (by Nechaev and Shoup).
s have become popular, and in these groups the DDHP is easy, yet the DHP is still assumed to be hard. For less significant variants of the DHP see the references.
Whitfield Diffie
Bailey Whitfield 'Whit' Diffie is an American cryptographer and one of the pioneers of public-key cryptography.Diffie and Martin Hellman's paper New Directions in Cryptography was published in 1976...
and Martin Hellman
Martin Hellman
Martin Edward Hellman is an American cryptologist, and is best known for his invention of public key cryptography in cooperation with Whitfield Diffie and Ralph Merkle...
in the context of cryptography
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
. The motivation for this problem is that many security systems use mathematical operations that are fast to compute, but hard to reverse. For example, they enable encrypting a message, but reversing the encryption is difficult. If solving the DHP were easy, these systems would be easily broken.
Problem description
The Diffie–Hellman problem is stated informally as follows:- Given an element g and the values of gx and gy, what is the value of gxy?
Formally, g is a generator
Generating set of a group
In abstract algebra, a generating set of a group is a subset that is not contained in any proper subgroup of the group. Equivalently, a generating set of a group is a subset such that every element of the group can be expressed as the combination of finitely many elements of the subset and their...
of some group
Group (mathematics)
In mathematics, a group is an algebraic structure consisting of a set together with an operation that combines any two of its elements to form a third element. To qualify as a group, the set and the operation must satisfy a few conditions called group axioms, namely closure, associativity, identity...
(typically the multiplicative group
Multiplicative group
In mathematics and group theory the term multiplicative group refers to one of the following concepts, depending on the context*any group \scriptstyle\mathfrak \,\! whose binary operation is written in multiplicative notation ,*the underlying group under multiplication of the invertible elements of...
of a finite field
Finite field
In abstract algebra, a finite field or Galois field is a field that contains a finite number of elements. Finite fields are important in number theory, algebraic geometry, Galois theory, cryptography, and coding theory...
or an elliptic curve
Elliptic curve
In mathematics, an elliptic curve is a smooth, projective algebraic curve of genus one, on which there is a specified point O. An elliptic curve is in fact an abelian variety — that is, it has a multiplication defined algebraically with respect to which it is a group — and O serves as the identity...
group) and x and y are randomly chosen integers.
For example, in the Diffie-Hellman key exchange
Diffie-Hellman key exchange
Diffie–Hellman key exchange Synonyms of Diffie–Hellman key exchange include:*Diffie–Hellman key agreement*Diffie–Hellman key establishment*Diffie–Hellman key negotiation...
, an eavesdropper observes gx and gy exchanged as part of the protocol, and the two parties both compute the shared key gxy. A fast means of solving the DHP would allow an eavesdropper to violate the privacy of the Diffie-Hellman key exchange and many of its variants, including ElGamal encryption
ElGamal encryption
In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1984. ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of...
.
Computational complexity
In cryptographyCryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
, for certain groups, it is assumed that the DHP is hard, and this is often called the Diffie–Hellman assumption. The problem has survived scrutiny for a few decades and no "easy" solution has yet been publicized.
As of 2006, the most efficient means known to solve the DHP is to solve the discrete logarithm problem (DLP), which is to find x given gx. In fact, significant progress (by den Boer, Maurer, Wolf, Boneh
Dan Boneh
Dan Boneh is a Professor of Computer Science and Electrical Engineering atStanford University. He is a well-known researcher in the areas of applied cryptographyand computer security.-Education:...
and Lipton) has been made towards showing that over many groups the DHP is almost as hard as the DLP. There is no proof to date that either the DHP (or the DLP) is a hard problem, except in generic groups (by Nechaev and Shoup).
Other variants
Many variants of the Diffie–Hellman problem have been considered. The most significant variant is the decisional Diffie–Hellman problem (DDHP), which is to distinguish gxy from a random group element, given g, gx, and gy. Sometimes the DHP is called the computational Diffie–Hellman problem (CDHP) to more clearly distinguish it from the DDHP. Recently groups with pairingPairing
The concept of pairing treated here occurs in mathematics.-Definition:Let R be a commutative ring with unity, and let M, N and L be three R-modules.A pairing is any R-bilinear map e:M \times N \to L...
s have become popular, and in these groups the DDHP is easy, yet the DHP is still assumed to be hard. For less significant variants of the DHP see the references.