多媒體網路安全實驗室 Variations of Diffie-Hellman Problem Proceedings of ICICS 2003, LNCS 2836, Springer-Verlag, 2003, pp. 301–312 Feng Bao, Robert H. Deng, Huafei Zhu Adviser: 鄭錦楸, 郭文中 教授 Reporter: 林彥宏

多媒體網路安全實驗室 Introduction 1 Variations of Computational Diffie-Hellman Problem 2 Variations of Decisional Diffie-Hellman problem 33 Conclusions 44 2

多媒體網路安全實驗室 Introduction  The Diffie-Hellman problem is a golden mine for cryptographic purposes.  matching Diffie-Hellman problem, decisional Diffie- Hellman problem, Gap- Diffie-Hellman problem  This paper studies various computational and decisional problems related to the Diffie-Hellman problems.  A  B: problem A reduces in polynomial time to another problem B 3

多媒體網路安全實驗室 Introduction  If A polynomially reduces to B and there is a polynomial time algorithm for B, then there is a polynomial time algorithm for A also.  Computational Diffie-Hellman problem(CDH): square, inverse and divisible  Decisional Diffie-Hellman problem(DDH): square, inverse and divisible  all variations of computational Diffie-Hellman problem are equivalent to the classic computational Diffie-Hellman problem  all variations of decisional Diffie-Hellman problem are equivalent except for the argument DDH  SDDH 4

多媒體網路安全實驗室  p be a large prime number  discrete logarithm problem defined in Z p * is hard  G ∈ Z p * be a cyclic group of prime order q  g is assumed to be a generator of G (is prime order)  security parameters p, q are defined as the fixed form p=2q+1 and ord(g)=q 5

多媒體網路安全實驗室  Computational Diffie-Hellman problem (CDH): On input g, g x, g y, computing g xy.  An algorithm that solves the computational Diffie- Hellman problem is a probabilistic polynomial time Turing machine, on input g, g x, g y, outputs g xy with non-negligible probability.  Computational Diffie-Hellman assumption means that there is no such a probabilistic polynomial time Turing machine. 6

多媒體網路安全實驗室  Square computational Diffie-Hellman problem (SCDH): On input g, g x, computing g (x 2 ).  SCDH assumption: no a probabilistic polynomial time Turing machine.  SCDH assumption and CDH assumption are equivalent.  SCDH  CDH  given an oracle A 1, on input g, g x, g y, outputs g xy  exist an algorithm A 2, on input g x, outputs g (x 2 )  u := g r, choose t 1, t 2 ∈ Z q at random, and compute u 1 = u t 1 = g rt 1, and u 2 = u t 2 = g rt 2.  we are able to compute v = A 1 (u 1 ; u 2 )= g r 2 t 1 t 2 with non- negligible probability. 7

多媒體網路安全實驗室  CDH  SCDH  given an oracle A 2, on input g, g x, outputs g (x 2 )  exist an algorithm A 1, on input g, g x, g y, outputs g xy  given g x, we choose s 1, s 2, t 1, t 2 ∈ Z q at random  compute v 1 := A 2 (g xs 1 ) =g (xs 1 2 ), v 2 := A 2 ((g y ) s 2 )=g (ys 2 2 )  we compute v 3 := A 2 ( g xs 1 t 1 +ys 2 t 2 ) = g ((xs 1 t 1 +ys 2 t 2 ) 2 )  s 1, s 2, t 1, t 2 are known already, it follows that g xy can be computed from v 1, v 2, v 3, s 1, s 2, t 1, t 2 immediately with same advantage.  CDH  SCDH 8

多媒體網路安全實驗室  Inverse computational Diffie-Hellman problem (InvCDH): On input g, g x, outputs g (x -1 ).  InvCDH assumption: no a probabilistic polynomial time Turing machine.  InvCDH assumption and SCDH assumption are equivalent.  InvCDH  SCDH  given an oracle A 2, on input g, g x, outputs g (x 2 )  exist an algorithm A 3, on input g x, outputs g (x -1 )  given a random value g r, we set h 1 ←g r and h 2 ←g  input (h 1, h 2 ) to the oracle A 2 to obtain A 2 (h 1, h 2 )=(g r -1 ) r 2, g r -1 A 2 (g r, (g r -1 ) r )=(g r -1 ) r 2 9

多媒體網路安全實驗室  SCDH  InvCDH  given an oracle A 3, on input g, g x, outputs g (x -1 )  exist an algorithm A 2, on input g, g x, outputs g (x 2 )  given a random value g, g r, we set h 1 ←g r and h 2 ←g  input (h 1, h 2 ) to the oracle A 3 to obtain A 3 (h 1, h 2 )= A 3 (g r, (g r ) r -1 )= (g r ) (r -1 ) -1 =g r 2  It follows that g r 2 can be computed from A 3 with the same advantage. 10

多媒體網路安全實驗室  Divisible computation Diffie-Hellman problem (DCDH problem): On random input g, g x, g y, computing g y/ x. We refer this oracle to as divisional computation Diffie- Hellman problem.  DCDH assumption: no a probabilistic polynomial time Turing machine.  DCDH assumption and CDH assumption are equivalent 11

多媒體網路安全實驗室  CDH  DCDH  given an oracle A 4, on input g, g x, g y outputs g y/ x  exist an algorithm A 1, on input g x, g y outputs g xy  given g, g x, g y, choose s 1, s 2, t 1, t 2 ∈ Z q at random  compute v 1 := A 4 (g, (g x ) s 1, g s 2 ) = g xs 1 /s 2, v 2 := A 4 (g, g t 1, (g y ) t 2 ) = g (yt 2 )/t 1  Finally, we compute v := A 3 (v 1, v 2 ) = g (xys 1 t 2 )/(s 2 t 1 )  Since s 1, s 2, t 1, t 2 are known already, it follows that g xy can be computed from v, s 1, s 2, t 1, t 2 immediately with same advantage. 12

多媒體網路安全實驗室  DCDH  CDH  given an oracle A 1, on input g, g x, g y outputs g xy  exist an algorithm A 4, on input g, g x, g y outputs g y/x  given g, g x, g y  construct an InvCDH oracle A 3, input (g, g y ) to A 3 to We prove the fact t obtain v:=g (y -1 )  Input (g, g x, v) to A 1 to obtain g x/y  We prove the fact that if the underlying group with prime order q, all variations of computational Diffie- Hellman problem are equivalent: CDH  SCDH  InvCDH  DCDH 13

多媒體網路安全實驗室  Decisional Diffie-Hellman assumption(DDH): Let G be a large cyclic group of prime order q. We consider the following two distributions:  given a Diffie-Hellman quadruple g, g x, g y and g xy, where x, y ∈ Z q, are random strings chosen uniformly at random  given a random quadruple g, g x, g y and g r, where x, y, r ∈ Z q, are random strings chosen uniformly at random.  An algorithm that solves the Decisional Diffie-Hellman problem is a statistical test that can efficiently distinguish these two distributions  DDH assumption: no such a polynomial statistical test 14

多媒體網路安全實驗室  Square decisional Diffie-Hellman assumption(SDDH):  Given a square Diffie-Hellman triple g, g x and g x 2, where x ∈ Z q, is a random string chosen uniformly at random;  Given a random triple g, g x and g r, where x, r ∈ Z q, are two random strings chosen uniformly at random.  SDDH assumption: no such a polynomial statistical test.  Inverse decisional Diffie-Hellman assumption(InvDDH):  Given a inverse Diffie-Hellman triple g, g x and g x -1, where x ∈ Z q, is a random string chosen uniformly at random;  Given a random triple g, g x and g r, where x, r ∈ Z q, are two random strings chosen uniformly at random.  InvDDH assumption: no such a polynomial statistical test. 15

多媒體網路安全實驗室  Divisible decisional Diffie-Hellman assumption(DDDH):  Given a divisible Diffie-Hellman quadruple g, g x, g y and g x/y, where x, y ∈ Z q, are random strings chosen uniformly at random;  Given a random quadruple g, g x, g y and g r, where x, r, y ∈ Z q, are random strings chosen uniformly at random.  DDDH assumption: no such a polynomial statistical test.  Relations among variations of decisional Diffie-Hellman assumption 16

多媒體網路安全實驗室  InvDDH  SDDH  Given a distinguisher D 1 which is able to tell SDDH triple from a random triple with non-negligible probability  exists a polynomial distinguisher D 2 which is able to tell InvDDH triple from a random triple with non-negligible advantage.  given g, g x and g r, where r is either x -1 or a random string  setting h 1 ←(g r ) s, h 2 ←g s, h 3 ←(g x ) s 2, where s ∈ Z q  if r=x -1, then h 1 =(g x -1 ) s, and h 2 =(g x -1 ) sx, and h 3 =(g x -1 ) s 2 x 2  if r is a random triple, then (h 1, h 2, h 3 ) is also a random triple  Input (h 1, h 2, h 3 ) to oracle D 1 to obtain correct value b ∈ {0,1} b=0, if the answer of D 1 is SDDH triple, and 1 otherwise 17

多媒體網路安全實驗室  SDDH  InvDDH  Given a distinguisher D 2 which is able to tell InvDDH triple from a random triple with non-negligible advantage.  exists a distinguisher D 1 which is able to tell SDDH triple from a random triple with non-negligible probability  given g, g x, g r where either r=x 2 or r ∈ Z q a random string  setting h 1 ←g x, h 2 ←(g r ) s and h 3 ←g s -1  if r=x 2, then h 1 =g x, h 2 =(g x ) xs and h 3 =(g x ) (xs) -1  if r is a random triple, then (h 1, h 2, h 3 ) is also a random triple  Input (h 1, h 2, h 3 ) to oracle D 2 to obtain correct value b ∈ {0,1} b=0, if the answer of D 2 is InvDDH triple, and 1 otherwise 18

多媒體網路安全實驗室  DDDH  DDH  Given (g, g x, g y, g x/y ), one simply submits (g, g y, g x/y, g x ) to DDH to decide the divisible format of the quadruple  DDH  DDDH  Given (g, g x, g y, g xy ), one queries DDDH with (g, g xy, g y, g x ) and return DDDH’s answer  Therefore, we know the fact that DDDH  DDH. 19

多媒體網路安全實驗室  SDDH  DDH  Given a distinguisher D, which is able to tell the standard decisional Diffie-Hellman triple from the random triple  there exists a distinguisher D 1 that is able to tell the square decisional Diffie-Hellman triple from a random triple  given a triple (g, g x, g z ), where g z is either of the form g y or g x 2  choose two strings s, t at random, compute u←(g x ) s, v←(g x ) t, w←(g z ) st  if (g, g x, g z ) is square DH triple, then (g, u, v, w) is a DH quadruple  input (g, u, v, w) to the distinguisher D to obtain correct value b ∈ {0,1} 20

多媒體網路安全實驗室  DDH  SDDH  Unfortunately, we are not able to show that DDH  SDDH. This leaves an interesting research problem.  Conjecture: Under the assumption of group structure of G, DDH is equivalent to SDDH. 21

多媒體網路安全實驗室  Polynomial samples setting  generalized Decisional Diffie-Hellman assumption: for any k, the following distributions are indistinguishable: － The distribution R 2k of any random tuple (g 1,…, g k, u 1,…, u k ) ∈ G 2k, where g 1,…, g k, and u 1,…, u k are uniformly distributed in G 2k － The distribution D 2k of tuples (g 1,…, g k, u 1,…, u k ) ∈ G 2k, where g 1,…, g k are uniformly distributed in G k, and u 1 =g 1 r,…, u k =g k r for random r ∈ Z q chosen at random 22

多媒體網路安全實驗室  An algorithm that solves the generalized decisional Diffie-Hellman problem is a statistical test that can efficiently distinguish these two distributions.  Generalized decisional Diffie-Hellman assumption: no polynomial statistical test  DDH  SDDH  InvDDH  DDDH 23

多媒體網路安全實驗室  Generalized square decisional Diffie-Hellman assumption (GSDDH):  The distribution R 3k of any random tuple (g 1,…,g k, g 1 x 1,…, g k x k, u 1,…,u k ) ∈ G 3k, where g 1,…, g k, x 1,…, x k and u 1,…,u k are uniformly distributed in G 3k  The distribution D 3k of tuples (g 1,…,g k, g 1 x 1,…, g k x k, u 1,…,u k ) ∈ G 3k, where g 1,…, g k, g 1 x 1,…,g k x k are uniformly distributed in G k while u 1 =g 1 x 1 2,…,u k =g k x k 2 for each x i uniformly distributed in Z q  GSDDH assumption: no polynomial statistical test 24

多媒體網路安全實驗室  Generalized inverse decisional Diffie-Hellman assumption (GInvDDH):  The distribution R 3k of any random tuple (g 1,…,g k, g 1 x 1,…, g k x k, u 1,…,u k ) ∈ G 3k, where g 1,…, g k, x 1,…, x k and u 1,…,u k are uniformly distributed in G 3k  The distribution D 3k of tuples (g 1,…,g k, g 1 x1,…, g k xk, u 1,…,u k ) ∈ G 3k, where g 1,…, g k, g 1 x 1,…,g k x k are uniformly distributed in G k while u 1 =g 1 x 1 -1,…,u k =g k x k -1 for each x i uniformly distributed in Z q  GInvDDH assumption: no polynomial statistical test 25

多媒體網路安全實驗室  6-DDH  4-DDH  a machine M that can get a non-negligible advantage ε between D 4 and R 4  given any six-tuple (g 1, g 2, g 3, u 1, u 2, u 3 ), which comes from either R 6 or D 6  M’ runs M on the quadruple (g 1 g 2, g 3, u 1 u 2, u 3 ) and simply forwards the answer  If the input comes from D 4 (D 6 respectively), it outputs 1 and 0 if the input tuple comes from R 4 (R 6 respectively). 26

多媒體網路安全實驗室 27

多媒體網路安全實驗室  4-DDH  6-DDH  a machine M that can get a non-negligible advantage ε between D 6 and R 6  given quadruple (g 1, g 2, u 1, u 2 )  M’ runs M on the six-tuple (g 1, g 2, g 1 s g 2 t, u 1, u 2, u 1 s u 2 t ) for randomly chosen s and t in Z q, and forwards the answer 28

多媒體網路安全實驗室 29

多媒體網路安全實驗室 Conclusions  We have studied the relationship among variations of Diffie-Hellman problem including the computational and decisional cases with efficient reductions.  We show that all four variations of computational Diffie-Hellman problem are equivalent if the order of a underlying cyclic group is large prime.  We are able to show that all variations are equivalent except for the argument DDH  SDDH, and thus leave an interesting open problem. 30

多媒體網路安全實驗室