A hidden number problem in small subgroups

Abstract

Boneh and Venkatesan have proposed a polynomial time algorithm for recovering a hidden element α ∈ double-struck F signp, where p is prime, from rather short strings of the most significant bits of the residue of at modulo p for several randomly chosen t ∈ double-struck F signp. González Vasco and the first author have recently extended this result to subgroups of double-struck F sign*p of order at least p1/3+ε for all p and to subgroups of order at least pε for almost all p. Here we introduce a new modification in the scheme which amplifies the uniformity of distribution of the multipliers t and thus extend this result to subgroups of order at least (log p)/(log log p)1-ε for all primes p. As in the above works, we give applications of our result to the bit security of the Diffie-Hellman secret key starting with subgroups of very small size, thus including all cryptographically interesting subgroups. © 2005 American Mathematical Society.