Introduction Our main result: DDH implies P Q DDH

92 pages

Français

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Introduction Our main result: DDH implies P Q DDH

pefav - Emmanuel Bresson1

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

92 pages

Français

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

Introduction Our main result: DDH implies (P,Q)-DDH Applications: Diffie-Hellman-based protocols A symbolic logic for Diffie-Hellman exponentials and encryption A generalization of DDH with applications to protocol analysis and computational soundness Emmanuel Bresson1, Yassine Lakhnech2, Laurent Mazare3, Bogdan Warinschi4 DCSSI Crypto Lab, VERIMAG Grenoble, Amadeus SAS, University of Bristol, July 4, 2007 ENS — June 21, 2007 A Generalization of DDH and Applications

generalizing ddh

pseudo-random generators

protocol analysis

adversary must

secure public-key

make protocol

multiple challenges

key exchange

Sujets

Protocol analysis

Informations

Publié par	pefav
Nombre de lectures	12
Langue	Français

Extrait

IntroductionOuramnierustlD:HDmiieplP,s(-DQ)ApDHcilpoitaD:sn-eﬃiman-HelldprobaseslsAotocillcmyobrDfoicogllHee-iﬃnopxenamaslaitneitnodnnercpyENS—JanDHfDnoioatizalreneGA7002,12enu

A generalization of DDH with applications toprotocol analysis and computational soundness

Amadeus SAS,laurent.mazare@m4x.org

VERIMAG Grenoble,yassine.lakhnech@imag.fr

DCSSI Crypto Lab,emmanuel@bresson.org

Emmanuel Bresson1, Yassine Lakhnech2,LaurentMazare´3,Bogdan Warinschi4

University of Bristol,bogdan@cs.bris.ac.uk

July 4, 2007

itnoilacAdpp

nera7AGe,200ne21aHdnfoDDitnoilaz

DDH assumption

Givengxandgy, it is computationally diﬃ-cult to distinguish betweengxyandgr

Simple:so easy to stateNice:properties such as random self-reducibilityApplications:numerous. . .secure public-key encryption [EG85,CS98]pseudo-random functions [NR97,Can97]pseudo-random generators [BM84]key exchange: seminal application [DH76]

nsioaticplApNEuJ—SortnIQ)P,DH-DplApaticsnoiﬃiD:eH-eamllductionOurmainreustlD:HDmilpei(spxenamlleH-eﬃiDrcrenndsaaltienonocslorotespd-nabicfoclogboliAsymPHDDlborP(eh-)Q,obprmaleThemDHeDenarilizpyitnoeGresultsTngDDHOursesuitnds

udortnIurnOioctsureinmanopxenamlleH-eﬃirDfoicogclliboymizgnarileGenitnocrypndenalsaenticilpoitaD-)QpAHDieplP,s(:DltimDHotocslsAabespdorHellman-ns:Diﬃe-,Q(PDD)-roHPemblOHDDerrutlusehTseGenarilizgnDDHnoitDDfodnaHlppAaticnsio

Most famous: Group Diﬃe-Hellman [Ste96,BCP02b]givengQixi, for up ton−1 exponents, decidegx1∙∙∙xnvs. gr

Appear naturally when generalizing protocolstwo-party to multi-party key exchange

Make protocol analysissimplerstill useful if the assumption can be reduced to a standard onemake protocol construction moremodular

NE—SuJen12,2007AGeneraliza

PHorlbmeeRaletwdsultsThe(P,Q)-DDkorneGAlare,12e7002DHfDdAanatiznoionos

Larger number of variables“group DH” problem [BCP02b], testgx1∙∙∙xn“parallel DH” problem [BCP02c]: givengxi, test thegxir“multiple DDH” problem [BCP02a]: givengxi, test thegxixj

More general polynomials expressions [Kil01]gaandgb, and a (single) challengegP(a,b)

Other extensions:General Diﬃe-Hellman Exponent (GDHE) [BBG05]Square Exponent [MW96,CS00,Shp02]Inverse Exponent [SS01]

ppilacitJ—nuESNtlD:HDmiamnierusctionOurIntroduralizingDDHOurrednnercpyitnoeGennemaonxptiensaalcigoDrof-eﬃilleHlsAstocoliclymboam-neHllpdorabesioaticple-iﬃ:Dns,P(seilppAHDD-)Q

ions

Adversary sees somegp(x1,x2,...,xn)wherepin a ﬁxed set of,polynomialsPpolynomialsinstead ofmonomials

foDDaHdnpAlpcitamenemoleardnasdnengehalleencbetwnoitazilareneGA700,221neJuS—ENtsiwhtpgx(reelvadecanbeintsallowededtsedicasreumyrn),xdv3Ax21,..,.llHee-iﬃ:DnsioatcilppAHDD-)Q,P(splieDHimlt:DresuamniOnrutcoiorudsaalenndonxptienlleHenamDrof-eﬃiliclogiclsAsymbopdorotocam-nabestnIreasA2vdalleeschceivryreonimlamsQtfoopylhallengeultiplec2x,1...,segnx(qgqiresenan),xhe,w(P,QsTheHPro)-DDuOGrlbmelazinereontiypcrliraneGeOHDDgniztluserruioatfDnoDH

esnrairmHiDDt:uldortnIuOnoitculusehTst,P(eD-)QPrDHleoburmOneGearilazitnofoDDHel-HﬃeDiorcfgiloslaitnenopxenamlnGenptioncryandeuOrrDgHDzinirela)-,QHADDlimp(Pes:snoeﬃiDilppitac-basedpr-HellmanysbmlocitocoloAscalionti

Adversary receives challengesgq(x1,x2,...,xn), whereqin a setQof polynomialsmultiple challenges allowedcan be interleaved withgp(x1,x2,...,xn)

Adversary sees somegp(x1,x2,...,xn), wherepin a ﬁxed set ofpolynomialsPpolynomialsinstead ofmonomials

oitaDfonnaHDppAd1,2007AGeneralizelemtnEsSNJ—nu2eanesnglemedoandrtebedicelahcneewvers3Adustdarym

pAlpcitafoDDaHdnlization7AGenera12en002,NEuJ—S

Adversary sees somegp(x1,x2,...,xn), wherepin a ﬁxed set ofpolynomialsPpolynomialsinstead ofmonomials

Adversary receives challengesgq(x1,x2,...,xn), whereqin a setQof polynomialsmultiple challenges allowedcan be interleaved withgp(x1,x2,...,xn)

Adversary must decide between challenges and randomelements

nsionopxitneaslanednypcrontineGeliraslsAmyobillcgociforDiﬃe-HellmaneGruOmelbzilarenefDnoioatDHDDOHizgnustlruer(P,QsTheHPro)-DDtaoisnD:ﬃi-eeHllman-basedprotocouserD:tlmiHDeilpP,s(-DQ)ApDHicplItnctiorodumainnOur

radirbyh(foorpruizaleren)gntmeguodsmranadeivrpvoityoibileducelfrrane!soicitccslaanncimbeduReioct..htyeniauitno.sknownpracludeall

Our Main Result

(P,Q)-DDH reduces to basic DDH !

under “natural” conditions onPand

ranezaliontiDDofdnaHlppAtacisnoiespreviousonesEN—SuJen122,00A7eGalerennGDHgDinizednaslaioitpyrcnDHPrQ)-DmobleseluuOrr(e,PsthTamnoitcuder,ytilranegellfuInlb(eioadnuvaDD)Hal(Gentixponybeeesehnitttilatfoyegtheren,d?)toueafris”tiedtnfi“ytely,weigFortunauctitrodInlu:trnsemrianouO)-,Q(PeslimpHiDD:snoitacilppAHDDlman-basDiﬃe-HelloAsysbmderptocoorcfﬃeDiicolgiloopxetnenleH-naml

zingraliGenetionrcpydnnelaasneitonxpnemallHee-iﬃDrofcigolcilobmytocolsAsbasedproeHllam-nsnD:ﬃi-eicplioat-DQ)ApDHeilp,P(sD:tlmiHDOurMainResultQ,P(DD-)orPHmelbHODDreurltsuhesTdurontIruOnoitcuserniamticalippdAanDHfDonoitazilareneGA

In full generality, reduction may be exponential (GDDH)unavoidable (?), due to the generality of the setting

(P,Q)-DDH reduces to basic DDH !under “natural” conditions onPandQ

nosnutale,yoFtrfy“fair”weidenti..sneht.utisoitalkalwnnoncyidelutyourproof(hybriadgrmune)tegenarzelirespouvinesoSNEsnuJ—,12e7002ticapracnarilscedecusoR!acbnitnoverompeindraiadverflesmoilibicud

Univers
Ebooks
Livres audio
Presse
Podcasts
BD
Documents

Introduction Our main result: DDH implies P Q DDH

Protocol analysis

YouScribe

Le catalogue

Le service

Les conditions