Security of polynomial transformations of the Diffie–Hellman key

Boneh and Venkatesan have recently proposed an approach to proving that a reasonably small portions of most significant bits of the Diffie–Hellman key modulo a prime are as secure as the whole key. Some further improvements and generalizations have been obtained by Gonzales Vasco and Shparlinski. Verheul has obtained certain analogies of these results in the case of Diffie–Hellman keys in extensions of finite fields, when an oracle is given to compute a certain polynomial function of the key, for example, the trace in the background field. Here we obtain a new result in this direction concerning the case of so-called “unreliable” oracles. The result has applications to the security of the recently proposed by Lenstra and Verheul XTR cryptosystem.