Optimal Randomness Extraction from a Diffie-Hellman Element

HAL Id: inria-00419148

https://hal.inria.fr/inria-00419148

Submitted on 22 Sep 2009

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Optimal Randomness Extraction from a Diffie-Hellman Element

Céline Chevalier, Pierre-Alain Fouque, David Pointcheval, Sébastien Zimmer

To cite this version:

Céline Chevalier, Pierre-Alain Fouque, David Pointcheval, Sébastien Zimmer. Optimal Randomness Extraction from a Diffie-Hellman Element. Advances in Cryptology – Proceedings of EUROCRYPT

’09, 2009, Cologne, Allemagne, Germany. pp.572–589. �inria-00419148�

AdvanesinCryptologyProeedingsofEurorypt'09(2630april2009,Cologne,Germany)

A.JouxEd.,Springer-Verlag,LNCS5479,pages572589.

Optimal Randomness Extration from a Die-Hellman Element

Céline Chevalier, Pierre-Alain Fouque, David Pointheval, and

SébastienZimmer

ÉoleNormaleSupérieure, CNRS-INRIA,Paris,Frane

{Celine.Chevalier,Pierre-Alain.Fouque,David.Pointheval,Sebastien.Zimmer}^ens.fr

Abstrat. Inthispaper,westudyaquitesimpledeterministirandomnessextratorfromrandomDie-

HellmanelementsdenedoveraprimeordermultipliativesubgroupG^ofaniteeldZ_p(thetrunation), andoveragroupof pointsof anelliptiurve (thetrunationof theabsissa). Informallyspeaking, we

showthat theleastsigniantbits ofarandomelementinG⊂Z^∗_por oftheabsissaofa randompoint inE(F_p)^areindistinguishablefromauniformbit-string.Suhanoperationisquiteeient,andisagood randomnessextrator,sineweshowthat itanextratnearlythe samenumberofbits as theLeftover

HashLemmaandoformostElliptiCurveparametersandforlargesubgroupsofniteelds.Tothisaim,

wedevelopanewtehniquetoboundexponentialsumsthatallows ustodoublethenumberofextrated

bitsomparedwithpreviousknownresultsproposedatICALP'06byFouqueetal.Itanalsobeusedto

improvepreviousboundsproposedbyCanettietal.

OneofthemainappliationofthisextratoristomathematiallyproveanassumptionproposedatCrypto

'07andusedintheseurityproofoftheElliptiCurvePseudoRandomGeneratorproposedbytheNIST.

TheseondmostobviousappliationistoperformeientkeyderivationgivenDie-Hellmanelements.

1 Introdution

Sine Die and Hellman's seminal paper [10℄, many ryptographi shemes are based on the Die-

Hellman tehnique:key exhange protools [10℄ ofourse, butalso enryption shemes,suhasElGa-

mal [12℄and Cramer-Shoup [9℄ones, or pseudo-random generators,astheNaor-ReingoldPRNG [23℄.

Morepreisely,theseurityoftheseshemesreliesontheDeisionalDie-Hellmanassumption(DDH)[4℄,

whih means that there is no eient algorithm that an distinguish the two distributions in

G

^3,

(g

^a

, g

^b

, g

^ab

)

^and

(g

^a

, g

^b

, g

^c

)

^,where

a

^,

b

^and

c

^{arehosen at random in}

J1, qK

^,and

G = h g i

^{is a yli}

group, generated by

g

^ofprimeorder

q

^{.For manyoftheshemes whose seurityis basedontheDDH}

assumption, the DHelement is used asa shared random element of

G

^{. However, a perfetly random}

element of

G

^{isnot aperfetly random bit stringand sometimes, asinkey derivation for example, it}

an be useful to derive a uniform bitstring whih ouldbe usedasa symmetri key.Therefore, from

this randomelement of

G

^{,one hasto nda way to generate arandom bitstring.}

1.1 Related Work

One lassial solution to derive a random-looking bit-string from the DH element is to use a hash

funtion.One indeedgets auniform bit-string, but intherandom orale model[2℄.

Anothersolution, seure inthe standard model, is to usearandomness extrator, suhasthe one

whih has been proposed by Gennaro et al. in [15℄. But one rst needs to have some entropy in the

DHelement,whereas

g

^{ab is totallydetermined by}

g

^{a and}

g

^{b.This entropy is}omputationallyinjeted using aomputational assumption,asthe CDH and DDHassumptions.

The CDH assumption, whih states that

g

^{ab is diult to ompute from}

g

^{a and}

g

^{b, implies that}

severalbitsof

g

^{ab arenotknownfromtheadversary.Therefore,fromtheadversarypointofview,there}

is some randomness in it. So one solution is to prove the hardness of prediting the least signiant

bitsof aDHelement.Thisomes fromthe hardorebittheory,where one triestoprovide aredution

between an algorithm thatpredits theleastsigniant bits of theDHelement to thereovery ofthe

wholeDHelement:preditingthesebitsisthusashardassolvingtheCDHproblem.However,usually,

only asmall numberof bitsan beproved to berandom-looking,given

g

^{a and}

g

^{b [6,5,20℄.}

Thisentropy an alsobe omputationallyreated using theDDHassumption, whihsays thatwe

have

log

₂

(q)

^{bits of entropy in the DH element, but one does not know where exatly: one annot}

extrat them diretly out of the representation of the element in

G

^{. This is the goal of a random-}

ness extrator. The Leftover Hash Lemma [17,15℄ is the most famous randomness extrator. It is a

probabilisti randomness extrator that an extrat entropy for any random soure whih has su-

ient min-entropy. The main drawbak with the Leftover Hash Lemma is that it requires the use of

pairwise independent hash funtions, whih are not used in pratie, and extra perfet randomness.

A omputational version of this Leftover HashLemma, hasalso been proposed and analysed in[14℄,

versionwhih hasthe advantageof usingpseudorandom funtionsfor randomness extration andnot

pairwise independent hash funtions. However, it still requires the use of extra perfet randomness.

Thetwoprevioussolutionsaregeneri:itouldbeinterestingtondadeterministi solutiondediated

to the randomness extration from a random element in

G

^{, sine it would prevent the use of extra}

randomness.

Denitely,the most interesting solution in this veinis to keep the leastsigniant bits of theDH

element and hope that the resulting bit-string is uniform, asit is proposed in many papers [6,5,20℄.

Trunation, as studied above and in this paper, is quite simple and deterministi, whih is of high

interestfrom apratial point ofview,evenifit isspei to DHdistributions.

A rst step in this diretion was the analysis of Canetti et al. [8℄ whih basially shows that the

onatenationoftheleastsigniantbitsof

g

^a,

g

^band

g

^{abislosetotheuniform}distribution.Thisresult wasahieved using exponential sums tehniques. However, Boneh [4℄ noted: Thisis quite interesting

although it does not seem to applyto the seurity analysis of existing protools. In most protools, the

adversarylearnsallof

g

^aand

g

^{b. Thisresultisstatistialandno}ryptographiassumptionisrequired, sine some bits of

a

^and

b

^{are free, when theview of theadversary islimited to some part of}

g

^{a and}

g

^{b.There is no haneto extend this result to our problem, sine, as already noted, given the entire}

representation of

g

^aand

g

^{b,thereisnorandomnessatallin}

g

^{ab.However,undertheDDH}assumption, some entropy appears in the DH element, and so, one an expet to extrat it into a bit-string that

will be lose to the uniform distribution, ina statistialsense.

At ICALP'06, Fouque et al. [13℄ use this idea and show that under the DDH assumption, the

leastsigniant bitsof

g

^{ab arenearlyuniformly}distributed, given

g

^{a and}

g

^b,ifthegroup

G

^isalarge

enough multipliative subgroup (of prime order

q

^{) of a nite eld (let say}

Z

_p), that is,

q

^{is not too}

small ompared to

p

^{. The large}

q

^{is the main drawbak sine}

q

^{needs to be at least half the size of}

p

^{, whih makes the} ryptographi protool quite ineient. To prove this result, the authors upper bound thestatistial distane,evaluating diretlythe

L

1 ^{norm, using}exponential sums.

Sineelliptiurvesryptographyuseslargesubgroupinpratie, thesameresultforelliptiurve

ould be of pratial interest. Gürel [16℄ studied the ase of ellipti urves overquadrati extensions

of anite eld, withalarge frationof bits,and overa primenite eld,but withsimilar limitations

as above in the number of extrated bits. He also upper bounds diretly the statistial distane by

evaluatingthe

L

₁ ^{norm, butusingasumofLegendreharaters.Histehnique onlyusestheLegendre}

harater, whih is not enough in the ase of

Z

_p. Consequently, the tehnique of the authors of [13℄

neededto sum onall haraters.

1.2 Our Results

Inthis paper,we show thatthefollowing distributions areomputationallyindistinguishable

(aP, bP, U

_k

) ≈

C

(aP, bP, lsb

_k

(x(abP ))),

where

U

_k ^istheuniform distributionon

k

^-bitstrings,

lsb

_k

()

^{isthefuntionwhihtrunatesthe}

k

^least

signiant bits of abit-string and

x()

^{istheabsissa funtion ofpointson anellipti urve.}

Under the DDH assumption, we know that

(aP, bP, abP ) ≈

C

(aP, bP, cP )

^{for random salars}

a, b, c ∈ J1, qK

^{,inthe group}

G

^{,generated by}

P

^{ofprime order}

q

^{.Then, weprove, withoutanyrypto-}

graphi or mathematial assumption,that

(aP, bP, U

_k

) ≈

S

(aP, bP, lsb

_k

(x(cP )))

Atually, we rst show this result for prime order multipliative subgroups of nite elds. This

resultextendsthoseofCanettietal.andofFouqueetal.sineweareabletoextrattwiethenumber

of bits asbefore. Thisnew result isahieved by introduing a newtehnique to bound thestatistial

distane.Whereasprevioustehniquesdiretlytriedtoboundthe

L

₁^{norm,whileitishardtoopewith}

the absolute value, we upper-bound the Eulidean

L

₂ ^{norm, whih is muh easier sine only squares}

areinvolved. Finally, we are also able, insome ases,to improve our result using lassial tehniques

on exponential sums.Then, the numberof extratedbits an be madequitelose to thenumber that

theLeftover hashlemmaan extrat.

However,sinetheresultstillappliestolargesubgroupsonly,weextendittoElliptiCurvegroups.

Ingeneral,theo-fatorofECgroupsissmall:lessthan 8,and evenequal toonefor theNISTurves,

over prime elds. We thus ahieve our above-mentioned result using more involved tehniques on

exponential sums over funtions dened on the points of the ellipti urve. More preisely, we an

showthatthe82 (resp.214 and346)leastsigniantbits oftheabsissa ofaDHelementoftheNIST

urvesoverprimeelds of256(resp.384and 521)bits areindistinguishable fromarandombit-string.

They an thus be diretly used as a symmetri key. To ompare with Gürel's result in [16℄, for an

ellipti urve dened overa prime eld of 200 bits, Gürel extrats 50 bits with a statistial distane

of

2

^{−42,while withthe same distane, we an extrat102 bits.Note that Gürel'sproof was easierto}

understand,butwedidnotmanagetoevaluatethe

L

₂^{normofLegendreharatersumsandgeneralize}

his proof.

Onemainpratial onsequeneof the resultforelliptiurveis that,we an avoidtheTrunated

Point Problem(TPP) assumptionusedinthe seurityproofoftheNISTElliptiCurveDualRandom

Bit Generator (DRBG)[7,24℄.

1.3 Organization of the paper

In Setion 2,we reviewsome notations and thedenition of a deterministi randomness extrator as

wellassomeresultsontheLeftoverHashLemma.Then,inSetion3,weimprove theresultsofCanetti

etal.andofFouqueetal.usinganewtehniquetoboundexponentialsums,usingtheEulideannorm.

In this setion, we also improve theboundinsome ases. Next, inSetion 4,we prove the same kind

of result for thegroup of pointsof an ellipti urve.Finally,in Setion 5,we show some appliations

ofour proofsto theseurityofthe NISTECDRBG[7,24℄andthekeyderivationfromaDHelement.

2 Notations

First,weintroduethenotionsusedinrandomnessextration.Inthefollowing,asoureofrandomness

isviewed asaprobabilitydistribution.

2.1 Measures of Randomness

To measure the randomness existing in a random variable, we use two dierent measures: the min

entropy and theollision entropy. The min entropy measures the diulty that an adversary hasto

guessthe valueofthe randomvariable, whereastheollisionentropymeasurestheprobabilityfor two

elements drawn aordingthis distrubtion to ollide.Inthis paper,theollision entropyisused asan

intermediatetool toestablish results,whiharethenreformulated using minentropy.

Denition 1 (MinEntropy).Let

X

^{bearandomvariablewithvaluesinaniteset}

X

^.Theguessing

probability of

X

^{, denoted by}

γ(X)

^{,is the} probability

max

_x∈X

(Pr[X = x])

^{. The min entropy of}

X

^is:

H

_∞

(X) = − log

₂

(γ (X))

^.

For example, when

X

^{is drawn from the uniform} distribution on a set of size

N

^{, the}min-entropy is

log

₂

(N)

^.

Denition 2 (Collision Entropy). Let

X

^and

X

^{′ betwo random} independent and identiallydis- tributedvariableswithvaluesinaniteset

X

^{.Theollisionprobabilityof}

X

^,denotedby

Col(X)

^isthe

probability

Pr[X = X

^′

] = P

x∈X

Pr[X = x]

^{2.Theollision entropy of}

X

^is:

H

₂

(X) = − log

₂

(Col(X))

^.

The ollision entropyis also alled the Renyi entropy. There existsan easy relation between ollision

and min entropies:

H

_∞

(X) ≤ H

₂

(X) ≤ 2 · H

_∞

(X)

^{. To ompare two random variables we use the}

lassial statistialdistane:

Denition 3 (Statistial Distane). Let

X

^and

Y

^{be two randomvariables withvalues ina nite}

set

X

^{.The statistial distane between}

X

^and

Y

^{is thevalue ofthefollowing} expression:

SD(X, Y ) = 1 2

X

x∈X

| Pr[X = x] − Pr[Y = x] | .

Wedenoteby

U

_k^{arandomvariableuniformly}distributedover

{ 0, 1 }

^{k.Wesaythatarandomvariable}

X

^{with values in}

{ 0, 1 }

^{k is}

δ

^{-uniform ifthe statistial distane between}

X

^and

U

_k ^is upper-bounded by

δ

^.

Lemma 4. Let

X

^{be a random variable with values in a set}

X

^{of size}

|X |

^and

ε = SD(X, U

_X

)

^the

statistial distane between

X

^and

U

_X^{,the uniformly} distributed variable over

X

^{. We have:}

Col(X) ≥ 1 + 4ε

²

|X | .

⁽¹⁾

Proof. Thislemma, whose resultis veryuseful inthis work,is proved inAppendix A.

2.2 From Min Entropy to

δ

-Uniformity

The most ommon method to obtain a

δ

^{-uniform soure is to extrat randomness from} high-entropy bit-string soures, using a so-alled randomness extrator. Presumably, the most famous randomness

extrator is provided by the Leftover Hash Lemma [17,19℄, whih requires the use of universal hash

funtion families.

Denition 5 (Universal Hash Funtion Family). A universal hash funtion family

(h

_i

)

_i∈{0,1}d

with

h

_i

: { 0, 1 }

ⁿ

→ { 0, 1 }

^k,for

i ∈ { 0, 1 }

^{d,isafamilyoffuntionssuhthat,forevery}

x 6 = y

ⁱⁿ

{ 0, 1 }

^n,

Pr

_i∈{0,1}d

[h

_i

(x) = h

_i

(y)] ≤ 1/2

^k.

Let

(h

i

)

_i∈{0,1}d ^{be a universal hash funtion family, let}

i

^{denote a random variable with uniform}

distribution over

{ 0, 1 }

^{d, let}

U

_k ^{denotea random variableuniformly} distributedin

{ 0, 1 }

^{k,and let}

X

denote a random variable taking values in

{ 0, 1 }

^{n, with}

i

^and

X

^mutually independent and with

X

min entropy greater than

m

^{, that is}

H

_∞

(X) ≥ m

^{. The Leftover Hash Lemma (whih proof an be}

found in[25℄)statesthat

SD( h i, h

_i

(X) i , h i, U

_k

i ) ≤ 2

^{(k−m)/2−1.}

In other words, if one wants to extrat entropy from the random variable

X

^{, one generates a}

uniformly distributed randomvariable

i

^andomputes

h

_i

(X)

^{.TheLeftoverHashLemma guarantees a}

2

^{−e seurity,ifone imposes that}

k ≤ m − 2e + 2.

⁽²⁾

TheLeftoverHashLemmaextratsnearlyalloftheentropyavailablewhatevertherandomnesssoures

are,butitneedstoinvestfewadditionaltrulyrandombits.Tooveromethisproblem,itwasproposed

to use deterministi funtions. Theydo not need extra random bits, but only exist for some spei

randomness soures.

Denition 6 (Deterministi Extrator). Let

f

^{be afuntion from}

{ 0, 1 }

^{n into}

{ 0, 1 }

^k.Let

X

^be

arandom variabletakingvalues in

{ 0, 1 }

^{n and let}

U

_k ^{denotearandom variableuniformly}distributed in

{ 0, 1 }

^k,where

U

_k ^and

X

^areindependent. We saythat

f

^{is an}

(X, ε)

-deterministi extrator if:

SD (f (X), U

_k

) < ε.

2.3 Charaters on Abelian Groups

We realla standard lemmafor haratergroups ofAbelian groups.

Lemma 7. Let

H

^{be an Abelian group and}

H ˆ = Hom(H, C

^∗

)

^{its dual group. Then,for any element}

χ

of

H ˆ

^{, the following holds,where}

χ

₀ ^{is the trivialharater:}

1

| H | P

h∈H

χ(h) =

( 1

^if

χ = χ

0

0

^if

χ 6 = χ

₀

Inthefollowing, we denoteby

e

_p ^{theharatersuh thatfor all}

x ∈ F

_p,

e

_p

(x) = e

^2iπxp

∈ C

^∗. 2.4 Ellipti Curves

Let

p

^{be a prime and}

E

^{be anellipti urveover}

F

_p given bytheWeierstrass equation

y

²

+ (a

₁

x + a

₃

) · y = x

³

+ a

₂

x

²

+ a

₄

x + a

₆

.

We denoteby

E ( F

_p

)

^{the groupof elementsof}

E

^over

F

_p andby

F

_p

( E )

^{thefuntioneldof theurve}

E

^,

dened as theeld of frations overthe points of

E

^:

F

_p

( E ) = F

_p

[X, Y ]/ E ( F

_p

)

^{. It is generated by the}

funtions

x

^and

y

^{,satisfying the Weierstrass equationof}

E

^{, and suh that}

P = (x(P), y(P ))

^{for eah}

P ∈ E ( F

_p

) \ { O }

^.Let

f

_a

∈ F

_p

( E )

^{be theappliation}

f

_a

= a · x

^where

a ∈ Z

^∗_p.If

f ∈ F

_p

( E )

^{, we denote}

by

deg(f )

^{its degree, that is}

P

^t

i=1

n

_i

deg(P

_i

)

^if

P

^t

i=1

n

_i

P

_i ^{is the divisor of poles of}

f

^{. Finally, we denote}

by

Ω = Hom( E ( F

_p

), C

^∗

)

^{the groupof haraters on}

E ( F

_p

)

^{,and by}

ω

₀ ^{the trivialharater (suh that}

ω

0

(P) = 1

^{for eah}

P

^).

3 Randomness Extration in Finite Fields

In this setion, we rst extends results from Fouque et al. [13℄, in order to extrat bits from random

elements in a multipliative subgroup of a nite eld. Then, we use the same tehniques to improve

theresultof Canetti etal.[8℄.

3.1 RandomnessExtration

Westudynowtherandomnessextratorwhihonsistsinkeepingtheleastsigniantbitsofarandom

element froma subgroup

G

^of

Z

^∗

p^{.The proof tehnique presented here allows us to extrat twie the}

numberofbitsextratedbyFouqueetal..Inthe partiularasewhen

q ≥ p

^3/4,where

q

^istheardinal

of

G

^{,we prove aneven betterresult: one anextrat asmanybits aswiththeLeftover HashLemma.}

Thismeansthat,inthe asewhen

q ≥ p

^{3/4,ourextrator isasgoodastheLeftoverHashLemma, but}

omputationally more eient and easiest to use in protools, sine it does not require extra perfet

publi randomness.

In the original paper, Fouque et al. upper bound diretly the statistial distane between the

extrated bits and the uniform distribution, using exponential sums. We still use them, but propose

to apply exponential sum tehnique to upper bound the ollision probability of the extrated bits.