J. Math. Cryptol. 2018; 12(2): 101ś118 Research Article Prabhat Kushwaha* Improved lower bound for DifeśHellman problem using multiplicative group of a őnite őeld as auxiliary group https://doi.org/10.1515/jmc-2017-0053 Received November 28, 2016; revised October 25, 2017; accepted February 12, 2018 Abstract: In 2004, Muzereau, Smart and Vercauteren [A. Muzereau, N. P. Smart and F. Vercauteren, The equiv- alence between the DHP and DLP for elliptic curves used in practical applications, LMS J. Comput. Math. 7 (2004), 50ś72] showed how to use a reduction algorithm of the discrete logarithm problem to DifeśHellman problem in order to estimate lower bound for the DifeśHellman problem on elliptic curves. They presented their estimates on various elliptic curves that are used in practical applications. In this paper, we show that a much tighter lower bound for the DifeśHellman problem on those curves can be achieved if one uses the multiplicative group of a őnite őeld as auxiliary group. The improved lower bound estimates of the DifeśHellman problem on those recommended curves are also presented. Moreover, we have also extended our idea by presenting similar estimates of DHP on some more recommended curves which were not covered before. These estimates of DHP on these curves are currently the tightest which lead us towards the equiv- alence of the DifeśHellman problem and the discrete logarithm problem on these recommended elliptic curves. Keywords: Discrete logarithm problem, lower bound for the DifeśHellman problem, elliptic curves used in practical applications MSC 2010: 94A60 || Communicated by: Simon Blackburn 1 Introduction It is well known that the discrete logarithm problem (DLP) is one of two primitives that are commonly used as a building block in public key protocols, other being integer factorization. Computational difculty in solving DLP is a security necessity for the protocols based on it. However, an interesting thing about these DLP-based protocols is that security of many of such protocols does not exactly rely on the hardness of DLP. For example, the ElGamal public key cryptosystem is secure if and only if the DifeśHellman problem (DHP) is hard to solve [7, Proposition 2.10]. That means, it is enough for an attacker to solve DHP to break the ElGamal cryptosystem. The DifeśHellman key exchange, pairing-based cryptosystems, digital signature schemes and many more protocols are some other examples where the security of the protocol depends on hardness on DHP. This is why hardness of DHP is of utmost importance in public key cryptography. If DLP is easy, DHP is easy because a solution of DLP immediately yields a solution of DHP. Therefore, the only meaningful scenario to study the hardness of DHP is when DLP is known to be hard. Barring some weak elliptic curves over őnite őelds, there is no efcient algorithm to solve the discrete logarithm problem on the *Corresponding author: Prabhat Kushwaha, SEAL Lab, Computer Science and Engineering, Indian Institute of Technology Kharagpur, Kharagpur, West Bengal 721302, India, e-mail: prabkush@gmail.com