Can we deduce the (a^b)^c mod from the partial information a^b mod d and a^c mod d in Diffie-Hellman Key Exchange?

Question

In Diffie-Hellman, the goal is to find:

$$(a^b)^c \mod d \equiv (a^c)^b \mod d$$

Alice has $b$ and Bob has $c$. $a$ and $b$ is pre-determined and known to Eve.

Exponentiation property of mod says that it is the same as:

$$(a^c \mod d)^b \mod d \equiv (a^b \mod d)^c \mod d$$

which is the key to making this work. This can be easily proved using binomial theorem for example.

Alice transmits $a^b \mod d$ and Bob transmits $a^c \mod d$.

Alice creates his key using:

$$(a^c \mod d)^b \mod d$$

Bob creates his key using:

$$(a^b \mod d)^c \mod d$$

which are same.

My question is, there is no known way to deduce this from $a^b \mod d$ and $a^c \mod d$, i.e the transmitted messages which Eve is listening to?

The reason for this doubt is that there is some 'reduced' information in the transmitted information, and Eve has access to both these transmitted information. So I was wondering if it can be constructed somehow?

Answer 1

The problem is called the Discrete Logarithm Problem (DLP) and well studied and research still working.

If you want look to the problem with a nice overview, look at the Joux nice paper. From the conclusion;

The most difficult challenge for discrete logarithms is probably the search for a subexponential algorithm that would apply to general elliptic curves defined over large characteristic fields. However, even finding new Index Calculus algorithms to cover additional special cases of curves is already a very challenging and fascinating problem in this field of research.

And this nice question might give you some idea, too.

Apart from the solving the DLP, there is a man in the middle attack for Diffie-Hellman key exchange.