Towards a Classification of Non-interactive Computational Assumptions in Cyclic Groups Essam Ghadafi University of the West of England Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

Prime order cyclic group Group generator 𝐺,𝑔 ←Gen( 1 𝜆 ) Group 𝐺 of known prime order 𝑝 Uniformly random generator 𝑔 such that 𝐺=〈𝑔〉 Efficiently computable group operations Generic group model Adversary restricted to group operations and equality testing

Computational problems in cyclic groups For now, just single cyclic group 𝐺,𝑔 of prime order 𝑝. Later, bilinear groups with pairings ( 𝐺 1 , 𝐺 2 , 𝐺 𝑇 , 𝑔 1 , 𝑔 2 ,𝑒). Discrete Logarithm Given 𝑔, 𝑔 𝑥 compute 𝑥 Computational Diffie-Hellman Given 𝑔, 𝑔 𝑎 , 𝑔 𝑏 compute 𝑔 𝑎𝑏 Generalized Diffie-Hellman Exponent Given 𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞−1 , 𝑔 𝑥 𝑞+1 ,…, 𝑔 𝑥 2𝑞 compute 𝑔 𝑥 𝑞 Strong Diffie-Hellman Given 𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞 output 𝑐, 𝑔 1 𝑥+𝑐

Non-interactive computational assumptions Generic group model ? ? ? Computational Diffie-Hellman (CDH) Discrete logarithm (DL)

Non-interactive computational assumptions Generic group model 𝑞-GDHE & 𝑞-SFrac Fractional assumptions 𝑞-GDHE 𝑞-SFrac Polynomial assumptions Computational Diffie-Hellman (CDH) Discrete logarithm problem (DL)

Non-interactive computational assumption Accept: 𝑏=1 Reject: 𝑏=0 PPT instance generator 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣 ←𝐼 1 𝜆 DPT solution verifier 𝑏←𝑉(𝑝𝑢𝑏,𝑝𝑟𝑖𝑣,𝑠𝑜𝑙) Definition The non-interactive computational assumption (𝐼,𝑉) holds if for all PPT adversaries 𝐴 Pr 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣 ←𝐼 1 𝜆 ;𝑠𝑜𝑙←𝐴(𝑝𝑢𝑏) 𝑉 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣,𝑠𝑜𝑙 =1 ≈0

(𝑑,𝑚,𝑛)-target assumption Say assumption is simple if 𝑏 𝑖 𝑋 =0 (𝑑,𝑚,𝑛)-target assumption 𝑚-variate polynomials of total degree 𝑑 or less CDH assumption 1 1 , 𝑋 1 1 , 𝑋 2 1 ← 𝐼 𝑐𝑜𝑟𝑒 𝐺 𝑉 𝑐𝑜𝑟𝑒 1 1 , 𝑋 1 1 , 𝑋 2 1 , 𝑟 𝑋 𝑠 𝑋 ,𝑦 checks 𝑟( 𝑋 ) 𝑠( 𝑋 ) = X 1 X 2 𝑞-SDH assumption 1 1 , 𝑋 1 ,…, 𝑋 𝑞 1 ← 𝐼 𝑐𝑜𝑟𝑒 𝐺 𝑉 𝑐𝑜𝑟𝑒 1 1 , 𝑋 1 ,…, 𝑋 𝑞 1 , 𝑟 𝑋 𝑠 𝑋 ,𝑦 checks 𝑟( 𝑋 ) 𝑠( 𝑋 ) = 1 𝑋+𝑐 Say assumption is univariate if 𝑚=1 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣 ←𝐼 1 𝜆 𝐺,𝑔 ←Gen 1 𝜆 𝑎 1 𝑋 𝑏 1 ( 𝑋 ) ,…, 𝑎 𝑛 ( 𝑋 ) 𝑏 𝑛 ( 𝑋 ) ,𝑝𝑢 𝑏 ′ ,𝑝𝑟𝑖 𝑣 ′ ← 𝐼 𝑐𝑜𝑟𝑒 𝐺 𝑥 ← 𝒁 𝑝 𝑚 (such that all 𝑏 𝑖 𝑥 ≠0) 𝑝𝑢𝑏= 𝐺, 𝑔 𝑎 1 𝑥 𝑏 1 𝑥 ,…, 𝑔 𝑎 𝑛 𝑥 𝑏 𝑛 𝑥 , 𝑎 1 𝑋 𝑏 1 𝑋 ,…, 𝑎 𝑛 𝑋 𝑏 𝑛 𝑋 ,𝑝𝑢 𝑏 ′ ; 𝑝𝑟𝑖𝑣=(𝑔, 𝑥 ,𝑝𝑟𝑖 𝑣 ′ ) 𝑏←𝑉 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣,𝑠𝑜𝑙= 𝑟 𝑋 𝑠 𝑋 ,𝑦,𝑠𝑜 𝑙 ′ Check 𝑟( 𝑋 ) 𝑠( 𝑋 ) ∉span 𝑎 1 𝑋 𝑏 1 𝑋 ,…, 𝑎 𝑛 𝑋 𝑏 𝑛 𝑋 as formal polynomials Check 𝑦= 𝑔 𝑟 𝑥 𝑠 𝑥 and check 𝑉 𝑐𝑜𝑟𝑒 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣,𝑠𝑜𝑙 =1 Ensures generic adversary cannot break assumption Say assumption is polynomial if 𝑠 𝑋 =1 Say assumption is fractional if 𝑠 𝑋 ⫮ 𝑟 𝑋 Adversary’s target

Hierarchy of target assumptions GDHE & SFrac Polynomial & Fractional Univariate simple target Simple target assumptions Target assumptions

Uber assumptions Generalized Diffie-Hellman Exponent (𝑞-GDHE) Given 𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞−1 , 𝑔 𝑥 𝑞+1 ,…, 𝑔 𝑥 2𝑞 hard to compute 𝑔 𝑥 𝑞 Simple Fractional (𝑞-SFrac) Given 𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞 hard to output 𝑟(𝑋) 𝑠(𝑋) , 𝑔 𝑟(𝑥) 𝑠(𝑥) with deg 𝑠 >deg⁡(𝑟) The 𝑞-SDH problem: given (𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞 ) output 𝑐, 𝑔 1 𝑥+𝑐 is a special case of the q-SFrac problem with 𝑟 𝑋 =1 and 𝑠 𝑋 =𝑋+𝑐

Target assumption hierarchy ⋮ 3-GDHE & 3-SFrac 2-GDHE & 2-SFrac 1-GDHE & 1-SFrac CDH

Structural analysis ⋮ ⋮ 3-GDHE 3-SFrac ⇓ ⇓ 2-GDHE ⟸ 2-SFrac ⇓ ⇓ 1-GDHE Gftv#f8HJN FVDXZD\SA ⇓ ⇓ 1-GDHE 1-SFrac ⇔ ⇓ CDH

Asymmetric bilinear groups Bilinear group generator 𝐺 1 , 𝐺 2 , 𝐺 𝑇 , 𝑔 1 , 𝑔 2 ←BGen( 1 𝜆 ) Groups 𝐺 1 , 𝐺 2 , 𝐺 𝑇 of known prime order 𝑝 Efficiently computable group operations in 𝐺 1 , 𝐺 2 , 𝐺 𝑇 Efficiently computable bilinear map 𝑒: 𝐺 1 × 𝐺 2 → 𝐺 𝑇 𝑒 𝑔 1 𝑎 , 𝑔 2 𝑏 =𝑒 𝑔 1 , 𝑔 2 𝑎𝑏 Random generators 𝑔 1 , 𝑔 2 such that 𝐺 1 = 𝑔 1 , 𝐺 2 =〈 𝑔 2 〉 Defining 𝑔 𝑇 =𝑒( 𝑔 1 , 𝑔 2 ) we have 𝐺 𝑇 =〈 𝑔 𝑇 〉 Asymmetric (type III) setting where 𝐺 1 ≠ 𝐺 2

Bilinear target assumption stratification for 𝜶∈{𝟏,𝟐} 𝜶=𝑻 ⋮ ⋮ 2-BGDHE & 2-BSFrac 2-BGap & 2-BSFrac 1-BGDHE & 1-BSFrac 1-BGap & 1-BSFrac CDH CDH

Open problems Prove or disprove the conjecture 𝑞-GDHE ⇒ 1-SDH Find structure in the SFrac assumptions Simplify the 𝑞-BGap assumptions Tightness Analyze assumptions where the goal is to output set group of elements 𝑦 1 ,…, 𝑦 ℓ with some relationship to each other Analyze interactive assumptions

Conclusions Cryptographers Cryptanalysts Most non-interactive computational assumptions in use are implied by the GDHE & SFrac assumptions All non-fractional assumptions are implied by GDHE, giving us a “canary in the coal mine” barrier Cryptanalysts The GDHE and SFrac assumptions are the easiest targets to attack Do not try to break discrete log, attack the “canary in the coal mine” assumptions first