Randomness extraction in elliptic curves and secret key derivation at the end of Diffie-Hellman protocol

Abstract

A deterministic extractor for an elliptic curve, that converts a uniformly random point on the curve to a random bit-string with a uniform distribution, is an important tool in cryptography. Such extractors can be used for example in key derivation functions, in key exchange protocols and to design cryptographically secure pseudorandom number generator. In this paper, we present a simple and efficient deterministic extractor for an elliptic curve E defined over a non prime finite field. Our extractor, for a given random point P on the curve, outputs the k-first coefficients of the abscissa of the point P. This extractor confirms the two conjectures stated by Farashahi and Pellikaan (2007) and Farashahi et al. (2008), related to the extraction of bits from coordinates of a point of an elliptic curve. As applications of our extractor, we show under the decisional Diffie-Hellman problem on an elliptic curve defined over a finite field of characteristic two, that the k-first or the k-last bits of the abscissa of a random point on the curve are indistinguishable from a random bit-string of the same length.