HAL Id: inria-00419148
https://hal.inria.fr/inria-00419148
Submitted on 22 Sep 2009
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
Optimal Randomness Extraction from a Diffie-Hellman Element
Céline Chevalier, Pierre-Alain Fouque, David Pointcheval, Sébastien Zimmer
To cite this version:
Céline Chevalier, Pierre-Alain Fouque, David Pointcheval, Sébastien Zimmer. Optimal Randomness Extraction from a Diffie-Hellman Element. Advances in Cryptology – Proceedings of EUROCRYPT
’09, 2009, Cologne, Allemagne, Germany. pp.572–589. �inria-00419148�
AdvanesinCryptologyProeedingsofEurorypt'09(2630april2009,Cologne,Germany)
A.JouxEd.,Springer-Verlag,LNCS5479,pages572589.
Optimal Randomness Extration from a Die-Hellman Element
Céline Chevalier, Pierre-Alain Fouque, David Pointheval, and
SébastienZimmer
ÉoleNormaleSupérieure, CNRS-INRIA,Paris,Frane
{Celine.Chevalier,Pierre-Alain.Fouque,David.Pointheval,Sebastien.Zimmer}ens.fr
Abstrat. Inthispaper,westudyaquitesimpledeterministirandomnessextratorfromrandomDie-
HellmanelementsdenedoveraprimeordermultipliativesubgroupGofaniteeldZp(thetrunation), andoveragroupof pointsof anelliptiurve (thetrunationof theabsissa). Informallyspeaking, we
showthat theleastsigniantbits ofarandomelementinG⊂Z∗por oftheabsissaofa randompoint inE(Fp)areindistinguishablefromauniformbit-string.Suhanoperationisquiteeient,andisagood randomnessextrator,sineweshowthat itanextratnearlythe samenumberofbits as theLeftover
HashLemmaandoformostElliptiCurveparametersandforlargesubgroupsofniteelds.Tothisaim,
wedevelopanewtehniquetoboundexponentialsumsthatallows ustodoublethenumberofextrated
bitsomparedwithpreviousknownresultsproposedatICALP'06byFouqueetal.Itanalsobeusedto
improvepreviousboundsproposedbyCanettietal.
OneofthemainappliationofthisextratoristomathematiallyproveanassumptionproposedatCrypto
'07andusedintheseurityproofoftheElliptiCurvePseudoRandomGeneratorproposedbytheNIST.
TheseondmostobviousappliationistoperformeientkeyderivationgivenDie-Hellmanelements.
1 Introdution
Sine Die and Hellman's seminal paper [10℄, many ryptographi shemes are based on the Die-
Hellman tehnique:key exhange protools [10℄ ofourse, butalso enryption shemes,suhasElGa-
mal [12℄and Cramer-Shoup [9℄ones, or pseudo-random generators,astheNaor-ReingoldPRNG [23℄.
Morepreisely,theseurityoftheseshemesreliesontheDeisionalDie-Hellmanassumption(DDH)[4℄,
whih means that there is no eient algorithm that an distinguish the two distributions in
G
3,(g
a, g
b, g
ab)
and(g
a, g
b, g
c)
,wherea
,b
andc
arehosen at random inJ1, qK
,andG = h g i
is a yligroup, generated by
g
ofprimeorderq
.For manyoftheshemes whose seurityis basedontheDDHassumption, the DHelement is used asa shared random element of
G
. However, a perfetly randomelement of
G
isnot aperfetly random bit stringand sometimes, asinkey derivation for example, itan be useful to derive a uniform bitstring whih ouldbe usedasa symmetri key.Therefore, from
this randomelement of
G
,one hasto nda way to generate arandom bitstring.1.1 Related Work
One lassial solution to derive a random-looking bit-string from the DH element is to use a hash
funtion.One indeedgets auniform bit-string, but intherandom orale model[2℄.
Anothersolution, seure inthe standard model, is to usearandomness extrator, suhasthe one
whih has been proposed by Gennaro et al. in [15℄. But one rst needs to have some entropy in the
DHelement,whereas
g
ab is totallydetermined byg
a andg
b.This entropy isomputationallyinjeted using aomputational assumption,asthe CDH and DDHassumptions.The CDH assumption, whih states that
g
ab is diult to ompute fromg
a andg
b, implies thatseveralbitsof
g
ab arenotknownfromtheadversary.Therefore,fromtheadversarypointofview,thereis some randomness in it. So one solution is to prove the hardness of prediting the least signiant
bitsof aDHelement.Thisomes fromthe hardorebittheory,where one triestoprovide aredution
between an algorithm thatpredits theleastsigniant bits of theDHelement to thereovery ofthe
wholeDHelement:preditingthesebitsisthusashardassolvingtheCDHproblem.However,usually,
only asmall numberof bitsan beproved to berandom-looking,given
g
a andg
b [6,5,20℄.Thisentropy an alsobe omputationallyreated using theDDHassumption, whihsays thatwe
have
log
2(q)
bits of entropy in the DH element, but one does not know where exatly: one annotextrat them diretly out of the representation of the element in
G
. This is the goal of a random-ness extrator. The Leftover Hash Lemma [17,15℄ is the most famous randomness extrator. It is a
probabilisti randomness extrator that an extrat entropy for any random soure whih has su-
ient min-entropy. The main drawbak with the Leftover Hash Lemma is that it requires the use of
pairwise independent hash funtions, whih are not used in pratie, and extra perfet randomness.
A omputational version of this Leftover HashLemma, hasalso been proposed and analysed in[14℄,
versionwhih hasthe advantageof usingpseudorandom funtionsfor randomness extration andnot
pairwise independent hash funtions. However, it still requires the use of extra perfet randomness.
Thetwoprevioussolutionsaregeneri:itouldbeinterestingtondadeterministi solutiondediated
to the randomness extration from a random element in
G
, sine it would prevent the use of extrarandomness.
Denitely,the most interesting solution in this veinis to keep the leastsigniant bits of theDH
element and hope that the resulting bit-string is uniform, asit is proposed in many papers [6,5,20℄.
Trunation, as studied above and in this paper, is quite simple and deterministi, whih is of high
interestfrom apratial point ofview,evenifit isspei to DHdistributions.
A rst step in this diretion was the analysis of Canetti et al. [8℄ whih basially shows that the
onatenationoftheleastsigniantbitsof
g
a,g
bandg
abislosetotheuniformdistribution.Thisresult wasahieved using exponential sums tehniques. However, Boneh [4℄ noted: Thisis quite interestingalthough it does not seem to applyto the seurity analysis of existing protools. In most protools, the
adversarylearnsallof
g
aandg
b. Thisresultisstatistialandnoryptographiassumptionisrequired, sine some bits ofa
andb
are free, when theview of theadversary islimited to some part ofg
a andg
b.There is no haneto extend this result to our problem, sine, as already noted, given the entirerepresentation of
g
aandg
b,thereisnorandomnessatalling
ab.However,undertheDDHassumption, some entropy appears in the DH element, and so, one an expet to extrat it into a bit-string thatwill be lose to the uniform distribution, ina statistialsense.
At ICALP'06, Fouque et al. [13℄ use this idea and show that under the DDH assumption, the
leastsigniant bitsof
g
ab arenearlyuniformlydistributed, giveng
a andg
b,ifthegroupG
isalargeenough multipliative subgroup (of prime order
q
) of a nite eld (let sayZ
p), that is,q
is not toosmall ompared to
p
. The largeq
is the main drawbak sineq
needs to be at least half the size ofp
, whih makes the ryptographi protool quite ineient. To prove this result, the authors upper bound thestatistial distane,evaluating diretlytheL
1 norm, usingexponential sums.Sineelliptiurvesryptographyuseslargesubgroupinpratie, thesameresultforelliptiurve
ould be of pratial interest. Gürel [16℄ studied the ase of ellipti urves overquadrati extensions
of anite eld, withalarge frationof bits,and overa primenite eld,but withsimilar limitations
as above in the number of extrated bits. He also upper bounds diretly the statistial distane by
evaluatingthe
L
1 norm, butusingasumofLegendreharaters.Histehnique onlyusestheLegendreharater, whih is not enough in the ase of
Z
p. Consequently, the tehnique of the authors of [13℄neededto sum onall haraters.
1.2 Our Results
Inthis paper,we show thatthefollowing distributions areomputationallyindistinguishable
(aP, bP, U
k) ≈
C(aP, bP, lsb
k(x(abP ))),
where
U
k istheuniform distributiononk
-bitstrings,lsb
k()
isthefuntionwhihtrunatesthek
leastsigniant bits of abit-string and
x()
istheabsissa funtion ofpointson anellipti urve.Under the DDH assumption, we know that
(aP, bP, abP ) ≈
C(aP, bP, cP )
for random salarsa, b, c ∈ J1, qK
,inthe groupG
,generated byP
ofprime orderq
.Then, weprove, withoutanyrypto-graphi or mathematial assumption,that
(aP, bP, U
k) ≈
S(aP, bP, lsb
k(x(cP )))
Atually, we rst show this result for prime order multipliative subgroups of nite elds. This
resultextendsthoseofCanettietal.andofFouqueetal.sineweareabletoextrattwiethenumber
of bits asbefore. Thisnew result isahieved by introduing a newtehnique to bound thestatistial
distane.Whereasprevioustehniquesdiretlytriedtoboundthe
L
1norm,whileitishardtoopewiththe absolute value, we upper-bound the Eulidean
L
2 norm, whih is muh easier sine only squaresareinvolved. Finally, we are also able, insome ases,to improve our result using lassial tehniques
on exponential sums.Then, the numberof extratedbits an be madequitelose to thenumber that
theLeftover hashlemmaan extrat.
However,sinetheresultstillappliestolargesubgroupsonly,weextendittoElliptiCurvegroups.
Ingeneral,theo-fatorofECgroupsissmall:lessthan 8,and evenequal toonefor theNISTurves,
over prime elds. We thus ahieve our above-mentioned result using more involved tehniques on
exponential sums over funtions dened on the points of the ellipti urve. More preisely, we an
showthatthe82 (resp.214 and346)leastsigniantbits oftheabsissa ofaDHelementoftheNIST
urvesoverprimeelds of256(resp.384and 521)bits areindistinguishable fromarandombit-string.
They an thus be diretly used as a symmetri key. To ompare with Gürel's result in [16℄, for an
ellipti urve dened overa prime eld of 200 bits, Gürel extrats 50 bits with a statistial distane
of
2
−42,while withthe same distane, we an extrat102 bits.Note that Gürel'sproof was easiertounderstand,butwedidnotmanagetoevaluatethe
L
2normofLegendreharatersumsandgeneralizehis proof.
Onemainpratial onsequeneof the resultforelliptiurveis that,we an avoidtheTrunated
Point Problem(TPP) assumptionusedinthe seurityproofoftheNISTElliptiCurveDualRandom
Bit Generator (DRBG)[7,24℄.
1.3 Organization of the paper
In Setion 2,we reviewsome notations and thedenition of a deterministi randomness extrator as
wellassomeresultsontheLeftoverHashLemma.Then,inSetion3,weimprove theresultsofCanetti
etal.andofFouqueetal.usinganewtehniquetoboundexponentialsums,usingtheEulideannorm.
In this setion, we also improve theboundinsome ases. Next, inSetion 4,we prove the same kind
of result for thegroup of pointsof an ellipti urve.Finally,in Setion 5,we show some appliations
ofour proofsto theseurityofthe NISTECDRBG[7,24℄andthekeyderivationfromaDHelement.
2 Notations
First,weintroduethenotionsusedinrandomnessextration.Inthefollowing,asoureofrandomness
isviewed asaprobabilitydistribution.
2.1 Measures of Randomness
To measure the randomness existing in a random variable, we use two dierent measures: the min
entropy and theollision entropy. The min entropy measures the diulty that an adversary hasto
guessthe valueofthe randomvariable, whereastheollisionentropymeasurestheprobabilityfor two
elements drawn aordingthis distrubtion to ollide.Inthis paper,theollision entropyisused asan
intermediatetool toestablish results,whiharethenreformulated using minentropy.
Denition 1 (MinEntropy).Let
X
bearandomvariablewithvaluesinanitesetX
.Theguessingprobability of
X
, denoted byγ(X)
,is the probabilitymax
x∈X(Pr[X = x])
. The min entropy ofX
is:H
∞(X) = − log
2(γ (X))
.For example, when
X
is drawn from the uniform distribution on a set of sizeN
, themin-entropy islog
2(N)
.Denition 2 (Collision Entropy). Let
X
andX
′ betwo random independent and identiallydis- tributedvariableswithvaluesinanitesetX
.TheollisionprobabilityofX
,denotedbyCol(X)
istheprobability
Pr[X = X
′] = P
x∈X
Pr[X = x]
2.Theollision entropy ofX
is:H
2(X) = − log
2(Col(X))
.The ollision entropyis also alled the Renyi entropy. There existsan easy relation between ollision
and min entropies:
H
∞(X) ≤ H
2(X) ≤ 2 · H
∞(X)
. To ompare two random variables we use thelassial statistialdistane:
Denition 3 (Statistial Distane). Let
X
andY
be two randomvariables withvalues ina niteset
X
.The statistial distane betweenX
andY
is thevalue ofthefollowing expression:SD(X, Y ) = 1 2
X
x∈X
| Pr[X = x] − Pr[Y = x] | .
Wedenoteby
U
karandomvariableuniformlydistributedover{ 0, 1 }
k.WesaythatarandomvariableX
with values in{ 0, 1 }
k isδ
-uniform ifthe statistial distane betweenX
andU
k is upper-bounded byδ
.Lemma 4. Let
X
be a random variable with values in a setX
of size|X |
andε = SD(X, U
X)
thestatistial distane between
X
andU
X,the uniformly distributed variable overX
. We have:Col(X) ≥ 1 + 4ε
2|X | .
(1)Proof. Thislemma, whose resultis veryuseful inthis work,is proved inAppendix A.
2.2 From Min Entropy to
δ
-UniformityThe most ommon method to obtain a
δ
-uniform soure is to extrat randomness from high-entropy bit-string soures, using a so-alled randomness extrator. Presumably, the most famous randomnessextrator is provided by the Leftover Hash Lemma [17,19℄, whih requires the use of universal hash
funtion families.
Denition 5 (Universal Hash Funtion Family). A universal hash funtion family
(h
i)
i∈{0,1}dwith
h
i: { 0, 1 }
n→ { 0, 1 }
k,fori ∈ { 0, 1 }
d,isafamilyoffuntionssuhthat,foreveryx 6 = y
in{ 0, 1 }
n,Pr
i∈{0,1}d[h
i(x) = h
i(y)] ≤ 1/2
k.Let
(h
i)
i∈{0,1}d be a universal hash funtion family, leti
denote a random variable with uniformdistribution over
{ 0, 1 }
d, letU
k denotea random variableuniformly distributedin{ 0, 1 }
k,and letX
denote a random variable taking values in
{ 0, 1 }
n, withi
andX
mutually independent and withX
min entropy greater than
m
, that isH
∞(X) ≥ m
. The Leftover Hash Lemma (whih proof an befound in[25℄)statesthat
SD( h i, h
i(X) i , h i, U
ki ) ≤ 2
(k−m)/2−1.In other words, if one wants to extrat entropy from the random variable
X
, one generates auniformly distributed randomvariable
i
andomputesh
i(X)
.TheLeftoverHashLemma guarantees a2
−e seurity,ifone imposes thatk ≤ m − 2e + 2.
(2)TheLeftoverHashLemmaextratsnearlyalloftheentropyavailablewhatevertherandomnesssoures
are,butitneedstoinvestfewadditionaltrulyrandombits.Tooveromethisproblem,itwasproposed
to use deterministi funtions. Theydo not need extra random bits, but only exist for some spei
randomness soures.
Denition 6 (Deterministi Extrator). Let
f
be afuntion from{ 0, 1 }
n into{ 0, 1 }
k.LetX
bearandom variabletakingvalues in
{ 0, 1 }
n and letU
k denotearandom variableuniformlydistributed in{ 0, 1 }
k,whereU
k andX
areindependent. We saythatf
is an(X, ε)
-deterministi extrator if:SD (f (X), U
k) < ε.
2.3 Charaters on Abelian Groups
We realla standard lemmafor haratergroups ofAbelian groups.
Lemma 7. Let
H
be an Abelian group andH ˆ = Hom(H, C
∗)
its dual group. Then,for any elementχ
of
H ˆ
, the following holds,whereχ
0 is the trivialharater:1
| H | P
h∈H
χ(h) =
( 1
ifχ = χ
00
ifχ 6 = χ
0Inthefollowing, we denoteby
e
p theharatersuh thatfor allx ∈ F
p,e
p(x) = e
2iπxp∈ C
∗. 2.4 Ellipti CurvesLet
p
be a prime andE
be anellipti urveoverF
p given bytheWeierstrass equationy
2+ (a
1x + a
3) · y = x
3+ a
2x
2+ a
4x + a
6.
We denoteby
E ( F
p)
the groupof elementsofE
overF
p andbyF
p( E )
thefuntioneldof theurveE
,dened as theeld of frations overthe points of
E
:F
p( E ) = F
p[X, Y ]/ E ( F
p)
. It is generated by thefuntions
x
andy
,satisfying the Weierstrass equationofE
, and suh thatP = (x(P), y(P ))
for eahP ∈ E ( F
p) \ { O }
.Letf
a∈ F
p( E )
be theappliationf
a= a · x
wherea ∈ Z
∗p.Iff ∈ F
p( E )
, we denoteby
deg(f )
its degree, that isP
ti=1
n
ideg(P
i)
ifP
ti=1
n
iP
i is the divisor of poles off
. Finally, we denoteby
Ω = Hom( E ( F
p), C
∗)
the groupof haraters onE ( F
p)
,and byω
0 the trivialharater (suh thatω
0(P) = 1
for eahP
).3 Randomness Extration in Finite Fields
In this setion, we rst extends results from Fouque et al. [13℄, in order to extrat bits from random
elements in a multipliative subgroup of a nite eld. Then, we use the same tehniques to improve
theresultof Canetti etal.[8℄.
3.1 RandomnessExtration
Westudynowtherandomnessextratorwhihonsistsinkeepingtheleastsigniantbitsofarandom
element froma subgroup
G
ofZ
∗p.The proof tehnique presented here allows us to extrat twie the
numberofbitsextratedbyFouqueetal..Inthe partiularasewhen
q ≥ p
3/4,whereq
istheardinalof
G
,we prove aneven betterresult: one anextrat asmanybits aswiththeLeftover HashLemma.Thismeansthat,inthe asewhen
q ≥ p
3/4,ourextrator isasgoodastheLeftoverHashLemma, butomputationally more eient and easiest to use in protools, sine it does not require extra perfet
publi randomness.
In the original paper, Fouque et al. upper bound diretly the statistial distane between the
extrated bits and the uniform distribution, using exponential sums. We still use them, but propose
to apply exponential sum tehnique to upper bound the ollision probability of the extrated bits.