Running title Distribution of Diffie-Hellman pairs

Key words and phrases: Di e{Hellman cryptosystem, Uniform distribution, Precomputation, Exponential sums
Address for correspondence: Igor Shparlinski, Department of Computing, Macquarie University, North Ryde, NSW 2109, Australia
July 28, 1999
Running title: Distribution of Di e-Hellman pairs
Supported in part by ARC grant A69700294.
1
Abstract
Let IFp be a prime eld of p elements and let g be an element of IFp of multiplicative order t modulo p. We show that for any " > 0 and t p1=3+" the Di e{Hellman pairs (x; g x ) are uniformly distributed in the Descartes product Z t IFp , where x runs through Z the residue ring Z t modulo t (that is, as in the classical Di eZ Hellman scheme); the all k-sums x = ai1 + : : : + aik , 1 i1 < : : : < ik n, where a1 ; : : : ; an 2 Z t are selected at random (that is, as in the recently Z introduced Di e{Hellman scheme with precomputation). These results are new and nontrivial even if t = p ? 1, that is, if g is a primitive root. The method based on some bounds of exponential sums.
em(z) = exp(2 iz=m)
and de ne character sums
S (r; s) =
X
t
x=1
et(rx)ep(sgx):
We need an extension of the results of 13] which concern the case r = 0 to the general case. Our proof is based on Lemma 3.3 of 13], see also 11], and is quite similar to the proof of Theorem 3.4 of 13]. For an integer m 1 we denote by Tm the number of solutions of the equation
1 1
Such uniformity of distribution results, although do not have immediate security implications, still provide some useful information about pseudorandomness of the mappings
FAX: 61 - 2] 98509551 E-mail: igor@.au
2
1 Introduction
Let p be a prime number and let IFp be a eld of p elements. We x an element g 2 IFp of multiplicative order t, that is,
the whole set Z t as in the classical Di e-Hellman scheme; Z the all k-sums x = ai1 + : : : + aik , 1 i < : : : < ik n, where a ; : : : ; an 2 Z t are selected at random as in the Di e{Hellman scheme Z with precomputation which has been recently introduced in 3], see also 21].
2 Notation and Auxiliary Results
Given a set M of N points (u ; v ) 2 0; 1] , = 1; : : : ; N , of the unit square, we de ne the discrepancy D(M) of this set as ( D(M) = sup ANNB ) ? (B ) ; B where the supremum is taken over all boxes B = ; ] ; ] 2 0; 1] , (B ) = ( ? )( ? ) and AN (B ) is the number of points of this set which hit B . According to a standard principle, we can bound the discrepancy D(M) by bounding the corresponding exponential sums. For arbitrary sets such relation is given by the Erdos{Turan{Koksma inequality (see Theorem 1.21 of 7]) which we present in the following implicit form.
2 2
4
For an integer a we de ne a = maxfjaj; 1g.
Lemma 1 For any integer L 1 the bound
D(M)
holds.
1+ 1 X 1 L N <jrj jsj<L r s
0 +
X
=1
N
exp (2 i(ru + sv ))
For an integer m 1 we denote
1 1
We remark that the rst result concerning x 2 Z t is probably well known Z to specialists. However, the author is unaware of any mentioning it in the literature thus it is presented here for the sake of completeness. Moreover, in the present form it uses a some very recent bounds of character sums from 11, 13] (thus the bound we present is probably stronger then the one which could be known). Similar results for the RSA pairs (x; xe) modulo m = pl, where p and l are two distinct primes, have recentlygh the group of units Z m modulo m as in the classical RSA scheme;; Z the all k-products x = ai1 : : : aik , 1 i < : : : < ik n, where a ; : : : ; an 2 Z m are selected at random as in the RSA scheme with precomputaZ tion 3].
ON THE DISTRIBUTION OF THE DIFFIE{HELLMAN PAIRS
Igor E. Shparlinski Department of Computing, Macquarie University Sydney, NSW 2109, Australia
igor@.au
x 2 Z t ! gx 2 IFp Z
and 3
x 2 Z m ! xe 2 Z m ; Z Z
see 17]. In particular, it would be disastrous to discover that these pairs are not uniformly distributed, in this case one could guess their leftmost bits with higher than average probability. Several other results about the uniformity of distribution of some pseudorandom generators of cryptographic interest are given in 8, 9], for the power generator , which includes the RSA generator and the Blum{Blum{Shub generator , see 2, 6, 16, 18, 25, 29], and in 26, 27] for the Naor{Reingold generator , see 19]. The uniformity of distribution of the Di e{Hellman triples (gx; gy ; gxy ) has been established in 4, 5]. As in 28], our main tool is character sums. In fact we use some new bounds of character sums with exponential functions which are slight modi cations of those of 13]. We identify IFp and Z t with the sets f0; : : : ; p ? 1g and f0; : : : ; t ? 1g, reZ spectively. Thus we study the distribution of the pairs of fractional parts ( )! x ; gx t p for x from one the aforementioned sets. Throughout the paper the implied constants in symbols `O' and ` ' are absolute (we recall that A B is equivalent to A = O(B )).
gt = 1; and gs 6= 1; 1 s t ? 1; and denote by Z t the residue ring modulo t. Z We consider the distribution of the Di e{Hellman pairs (x; gx) in the Descart product Z t IFp, where Z t is the residue ring modulo t, when x runs through Z Z