On the bit security of the weak Diffie-Hellman problem

Boneh and Venkatesan proposed a problem called the hidden number problem and they gave a polynomial time algorithm to solve it. And they showed that one can compute g(xy) from g(x) and g(y) if one has an oracle which computes roughly root log p most significant bits of g(xy) from given g(x) and g(y) in F-p by using an algorithm for solving the hidden number problem. Later, Shparlinski showed that one can compute g(x2) if one can compute roughly root log p most significant bits of g(x2) from given g(x). In this paper we extend these results by using some improvements on the hidden number problem and the bound of exponential sums. We show that for given g, g(alpha),...g(alpha l) is an element of F-p*, computing about root log p most significant bits of g(1/alpha) is as hard as computing g(1/alpha) itself, provided that the multiplicative order of g is prime and not too small. Furthermore, we show that we can do it when g has even much smaller multiplicative order in some special cases. (C) 2010 Elsevier B.V. All rights reserved.