Introduction Our main result: DDH implies P Q DDH

De
Publié par

Introduction Our main result: DDH implies (P,Q)-DDH Applications: Diffie-Hellman-based protocols A symbolic logic for Diffie-Hellman exponentials and encryption A generalization of DDH with applications to protocol analysis and computational soundness Emmanuel Bresson1, Yassine Lakhnech2, Laurent Mazare3, Bogdan Warinschi4 DCSSI Crypto Lab, VERIMAG Grenoble, Amadeus SAS, University of Bristol, July 4, 2007 ENS — June 21, 2007 A Generalization of DDH and Applications

  • ddh

  • generalizing ddh

  • pseudo-random generators

  • protocol analysis

  • adversary must

  • secure public-key

  • make protocol

  • multiple challenges

  • key exchange


Publié le : mardi 19 juin 2012
Lecture(s) : 11
Source : di.ens.fr
Nombre de pages : 92
Voir plus Voir moins
IntroductionOuramnierustlD:HDmiieplP,s(-DQ)ApDHcilpoitaD:sn-eiman-HelldprobaseslsAotocillcmyobrDfoicogllHee-inopxenamaslaitneitnodnnercpyENSJanDHfDnoioatizalreneGA7002,12enu
A generalization of DDH with applications toprotocol analysis and computational soundness
Amadeus SAS,laurent.mazare@m4x.org
VERIMAG Grenoble,yassine.lakhnech@imag.fr
DCSSI Crypto Lab,emmanuel@bresson.org
Emmanuel Bresson1, Yassine Lakhnech2,LaurentMazare´3,Bogdan Warinschi4
s
University of Bristol,bogdan@cs.bris.ac.uk
July 4, 2007
itnoilacAdpp
nera7AGe,200ne21aHdnfoDDitnoilaz
DDH assumption
Givengxandgy, it is computationally diffi-cult to distinguish betweengxyandgr
Simple:so easy to stateNice:properties such as random self-reducibilityApplications:numerous. . .secure public-key encryption [EG85,CS98]pseudo-random functions [NR97,Can97]pseudo-random generators [BM84]key exchange: seminal application [DH76]
nsioaticplApNEuJSortnIQ)P,DH-DplApaticsnoiiD:eH-eamllductionOurmainreustlD:HDmilpei(spxenamlleH-eiDrcrenndsaaltienonocslorotespd-nabicfoclogboliAsymPHDDlborP(eh-)Q,obprmaleThemDHeDenarilizpyitnoeGresultsTngDDHOursesuitnds
udortnIurnOioctsureinmanopxenamlleH-eirDfoicogclliboymizgnarileGenitnocrypndenalsaenticilpoitaD-)QpAHDieplP,s(:DltimDHotocslsAabespdorHellman-ns:Die-,Q(PDD)-roHPemblOHDDerrutlusehTseGenarilizgnDDHnoitDDfodnaHlppAaticnsio
Most famous: Group Diffie-Hellman [Ste96,BCP02b]givengQixi, for up ton1 exponents, decidegx1∙∙∙xnvs. gr
Appear naturally when generalizing protocolstwo-party to multi-party key exchange
Make protocol analysissimplerstill useful if the assumption can be reduced to a standard onemake protocol construction moremodular
NESuJen12,2007AGeneraliza
PHorlbmeeRaletwdsultsThe(P,Q)-DDkorneGAlare,12e7002DHfDdAanatiznoionos
Larger number of variables“group DH” problem [BCP02b], testgx1∙∙∙xn“parallel DH” problem [BCP02c]: givengxi, test thegxir“multiple DDH” problem [BCP02a]: givengxi, test thegxixj
More general polynomials expressions [Kil01]gaandgb, and a (single) challengegP(a,b)
Other extensions:General Diffie-Hellman Exponent (GDHE) [BBG05]Square Exponent [MW96,CS00,Shp02]Inverse Exponent [SS01]
ppilacitJnuESNtlD:HDmiamnierusctionOurIntroduralizingDDHOurrednnercpyitnoeGennemaonxptiensaalcigoDrof-eilleHlsAstocoliclymboam-neHllpdorabesioaticple-i:Dns,P(seilppAHDD-)Q
ions
Adversary sees somegp(x1,x2,...,xn)wherepin a fixed set of,polynomialsPpolynomialsinstead ofmonomials
1
foDDaHdnpAlpcitamenemoleardnasdnengehalleencbetwnoitazilareneGA700,221neJuSENtsiwhtpgx(reelvadecanbeintsallowededtsedicasreumyrn),xdv3Ax21,..,.llHee-i:DnsioatcilppAHDD-)Q,P(splieDHimlt:DresuamniOnrutcoiorudsaalenndonxptienlleHenamDrof-eiliclogiclsAsymbopdorotocam-nabestnIreasA2vdalleeschceivryreonimlamsQtfoopylhallengeultiplec2x,1...,segnx(qgqiresenan),xhe,w(P,QsTheHPro)-DDuOGrlbmelazinereontiypcrliraneGeOHDDgniztluserruioatfDnoDH
esnrairmHiDDt:uldortnIuOnoitculusehTst,P(eD-)QPrDHleoburmOneGearilazitnofoDDHel-HeDiorcfgiloslaitnenopxenamlnGenptioncryandeuOrrDgHDzinirela)-,QHADDlimp(Pes:snoeiDilppitac-basedpr-HellmanysbmlocitocoloAscalionti
Adversary receives challengesgq(x1,x2,...,xn), whereqin a setQof polynomialsmultiple challenges allowedcan be interleaved withgp(x1,x2,...,xn)
2
s
1
Adversary sees somegp(x1,x2,...,xn), wherepin a fixed set ofpolynomialsPpolynomialsinstead ofmonomials
oitaDfonnaHDppAd1,2007AGeneralizelemtnEsSNJnu2eanesnglemedoandrtebedicelahcneewvers3Adustdarym
pAlpcitafoDDaHdnlization7AGenera12en002,NEuJS
2
Adversary sees somegp(x1,x2,...,xn), wherepin a fixed set ofpolynomialsPpolynomialsinstead ofmonomials
Adversary receives challengesgq(x1,x2,...,xn), whereqin a setQof polynomialsmultiple challenges allowedcan be interleaved withgp(x1,x2,...,xn)
3
1
Adversary must decide between challenges and randomelements
nsionopxitneaslanednypcrontineGeliraslsAmyobillcgociforDie-HellmaneGruOmelbzilarenefDnoioatDHDDOHizgnustlruer(P,QsTheHPro)-DDtaoisnD:i-eeHllman-basedprotocouserD:tlmiHDeilpP,s(-DQ)ApDHicplItnctiorodumainnOur
radirbyh(foorpruizaleren)gntmeguodsmranadeivrpvoityoibileducelfrrane!soicitccslaanncimbeduReioct..htyeniauitno.sknownpracludeall
Q
Our Main Result
(P,Q)-DDH reduces to basic DDH !
under “natural” conditions onPand
ranezaliontiDDofdnaHlppAtacisnoiespreviousonesENSuJen122,00A7eGalerennGDHgDinizednaslaioitpyrcnDHPrQ)-DmobleseluuOrr(e,PsthTamnoitcuder,ytilranegellfuInlb(eioadnuvaDD)Hal(Gentixponybeeesehnitttilatfoyegtheren,d?)toueafristiedtnfiytely,weigFortunauctitrodInlu:trnsemrianouO)-,Q(PeslimpHiDD:snoitacilppAHDDlman-basDie-HelloAsysbmderptocoorcfeDiicolgiloopxetnenleH-naml
zingraliGenetionrcpydnnelaasneitonxpnemallHee-iDrofcigolcilobmytocolsAsbasedproeHllam-nsnD:i-eicplioat-DQ)ApDHeilp,P(sD:tlmiHDOurMainResultQ,P(DD-)orPHmelbHODDreurltsuhesTdurontIruOnoitcuserniamticalippdAanDHfDonoitazilareneGA
In full generality, reduction may be exponential (GDDH)unavoidable (?), due to the generality of the setting
(P,Q)-DDH reduces to basic DDH !under “natural” conditions onPandQ
nosnutale,yoFtrfyfairweidenti..sneht.utisoitalkalwnnoncyidelutyourproof(hybriadgrmune)tegenarzelirespouvinesoSNEsnuJ,12e7002ticapracnarilscedecusoR!acbnitnoverompeindraiadverflesmoilibicud
Fortunately, we identify “fair” situations. . . they include all known practical scenarios !
(P,Q)-DDH reduces to basic DDH !unde “ tu l” conditions onPandQr na ra
In full generality, reduction may be exponential (GDDH)unavoidable (?), due to the generality of the setting
ticasonibilytuoprorfoh(ybridargument)gebnacpmieevoraivdndraseomrelfciduGAne0270zitarelafDDHionoppliandAezilarenuoiverpsNSsEneso1,e2unJnoitcudeRtlbmeuOMriaRnseluurnOinmaduroiocttnIDHApplics(P,Q)-DHDmilpeierustlD:pyrcnoiteneGilaronxptiensaalenndTsehP(Q,-)DDPHorzingDDHOurresultesab-namocotorpd:DnsioatllHee-ii-eofDrameneHllymbolsAsogiclicl
Soyez le premier à déposer un commentaire !

17/1000 caractères maximum.