7 jours d'essai offerts
Cet ouvrage et des milliers d'autres sont disponibles en abonnement pour 8,99€/mois
IntroductionOuramnierustlD:HDmiieplP,s(-DQ)ApDHcilpoitaD:sn-eiman-HelldprobaseslsAotocillcmyobrDfoicogllHee-inopxenamaslaitneitnodnnercpyENSJanDHfDnoioatizalreneGA7002,12enu
A generalization of DDH with applications toprotocol analysis and computational soundness
Amadeus SAS,laurent.mazare@m4x.org
VERIMAG Grenoble,yassine.lakhnech@imag.fr
DCSSI Crypto Lab,emmanuel@bresson.org
Emmanuel Bresson1, Yassine Lakhnech2,LaurentMazare´3,Bogdan Warinschi4
s
University of Bristol,bogdan@cs.bris.ac.uk
July 4, 2007
itnoilacAdpp
nera7AGe,200ne21aHdnfoDDitnoilaz
DDH assumption
Givengxandgy, it is computationally diffi-cult to distinguish betweengxyandgr
Simple:so easy to stateNice:properties such as random self-reducibilityApplications:numerous. . .secure public-key encryption [EG85,CS98]pseudo-random functions [NR97,Can97]pseudo-random generators [BM84]key exchange: seminal application [DH76]
nsioaticplApNEuJSortnIQ)P,DH-DplApaticsnoiiD:eH-eamllductionOurmainreustlD:HDmilpei(spxenamlleH-eiDrcrenndsaaltienonocslorotespd-nabicfoclogboliAsymPHDDlborP(eh-)Q,obprmaleThemDHeDenarilizpyitnoeGresultsTngDDHOursesuitnds
udortnIurnOioctsureinmanopxenamlleH-eirDfoicogclliboymizgnarileGenitnocrypndenalsaenticilpoitaD-)QpAHDieplP,s(:DltimDHotocslsAabespdorHellman-ns:Die-,Q(PDD)-roHPemblOHDDerrutlusehTseGenarilizgnDDHnoitDDfodnaHlppAaticnsio
Most famous: Group Diffie-Hellman [Ste96,BCP02b]givengQixi, for up ton1 exponents, decidegx1∙∙∙xnvs. gr
Appear naturally when generalizing protocolstwo-party to multi-party key exchange
Make protocol analysissimplerstill useful if the assumption can be reduced to a standard onemake protocol construction moremodular
NESuJen12,2007AGeneraliza
PHorlbmeeRaletwdsultsThe(P,Q)-DDkorneGAlare,12e7002DHfDdAanatiznoionos
Larger number of variables“group DH” problem [BCP02b], testgx1∙∙∙xn“parallel DH” problem [BCP02c]: givengxi, test thegxir“multiple DDH” problem [BCP02a]: givengxi, test thegxixj
More general polynomials expressions [Kil01]gaandgb, and a (single) challengegP(a,b)
Other extensions:General Diffie-Hellman Exponent (GDHE) [BBG05]Square Exponent [MW96,CS00,Shp02]Inverse Exponent [SS01]
ppilacitJnuESNtlD:HDmiamnierusctionOurIntroduralizingDDHOurrednnercpyitnoeGennemaonxptiensaalcigoDrof-eilleHlsAstocoliclymboam-neHllpdorabesioaticple-i:Dns,P(seilppAHDD-)Q
ions
Adversary sees somegp(x1,x2,...,xn)wherepin a fixed set of,polynomialsPpolynomialsinstead ofmonomials
1
foDDaHdnpAlpcitamenemoleardnasdnengehalleencbetwnoitazilareneGA700,221neJuSENtsiwhtpgx(reelvadecanbeintsallowededtsedicasreumyrn),xdv3Ax21,..,.llHee-i:DnsioatcilppAHDD-)Q,P(splieDHimlt:DresuamniOnrutcoiorudsaalenndonxptienlleHenamDrof-eiliclogiclsAsymbopdorotocam-nabestnIreasA2vdalleeschceivryreonimlamsQtfoopylhallengeultiplec2x,1...,segnx(qgqiresenan),xhe,w(P,QsTheHPro)-DDuOGrlbmelazinereontiypcrliraneGeOHDDgniztluserruioatfDnoDH
esnrairmHiDDt:uldortnIuOnoitculusehTst,P(eD-)QPrDHleoburmOneGearilazitnofoDDHel-HeDiorcfgiloslaitnenopxenamlnGenptioncryandeuOrrDgHDzinirela)-,QHADDlimp(Pes:snoeiDilppitac-basedpr-HellmanysbmlocitocoloAscalionti
Adversary receives challengesgq(x1,x2,...,xn), whereqin a setQof polynomialsmultiple challenges allowedcan be interleaved withgp(x1,x2,...,xn)
2
s
1
Adversary sees somegp(x1,x2,...,xn), wherepin a fixed set ofpolynomialsPpolynomialsinstead ofmonomials
oitaDfonnaHDppAd1,2007AGeneralizelemtnEsSNJnu2eanesnglemedoandrtebedicelahcneewvers3Adustdarym
pAlpcitafoDDaHdnlization7AGenera12en002,NEuJS
2
Adversary sees somegp(x1,x2,...,xn), wherepin a fixed set ofpolynomialsPpolynomialsinstead ofmonomials
Adversary receives challengesgq(x1,x2,...,xn), whereqin a setQof polynomialsmultiple challenges allowedcan be interleaved withgp(x1,x2,...,xn)
3
1
Adversary must decide between challenges and randomelements
nsionopxitneaslanednypcrontineGeliraslsAmyobillcgociforDie-HellmaneGruOmelbzilarenefDnoioatDHDDOHizgnustlruer(P,QsTheHPro)-DDtaoisnD:i-eeHllman-basedprotocouserD:tlmiHDeilpP,s(-DQ)ApDHicplItnctiorodumainnOur
radirbyh(foorpruizaleren)gntmeguodsmranadeivrpvoityoibileducelfrrane!soicitccslaanncimbeduReioct..htyeniauitno.sknownpracludeall
Q
Our Main Result
(P,Q)-DDH reduces to basic DDH !
under “natural” conditions onPand
ranezaliontiDDofdnaHlppAtacisnoiespreviousonesENSuJen122,00A7eGalerennGDHgDinizednaslaioitpyrcnDHPrQ)-DmobleseluuOrr(e,PsthTamnoitcuder,ytilranegellfuInlb(eioadnuvaDD)Hal(Gentixponybeeesehnitttilatfoyegtheren,d?)toueafristiedtnfiytely,weigFortunauctitrodInlu:trnsemrianouO)-,Q(PeslimpHiDD:snoitacilppAHDDlman-basDie-HelloAsysbmderptocoorcfeDiicolgiloopxetnenleH-naml
zingraliGenetionrcpydnnelaasneitonxpnemallHee-iDrofcigolcilobmytocolsAsbasedproeHllam-nsnD:i-eicplioat-DQ)ApDHeilp,P(sD:tlmiHDOurMainResultQ,P(DD-)orPHmelbHODDreurltsuhesTdurontIruOnoitcuserniamticalippdAanDHfDonoitazilareneGA
In full generality, reduction may be exponential (GDDH)unavoidable (?), due to the generality of the setting
(P,Q)-DDH reduces to basic DDH !under “natural” conditions onPandQ
nosnutale,yoFtrfyfairweidenti..sneht.utisoitalkalwnnoncyidelutyourproof(hybriadgrmune)tegenarzelirespouvinesoSNEsnuJ,12e7002ticapracnarilscedecusoR!acbnitnoverompeindraiadverflesmoilibicud