Download presentation
Presentation is loading. Please wait.
Published byCecily Felicity Davis Modified over 8 years ago
1
多媒體網路安全實驗室 Variations of Diffie-Hellman Problem Proceedings of ICICS 2003, LNCS 2836, Springer-Verlag, 2003, pp. 301–312 Feng Bao, Robert H. Deng, Huafei Zhu Adviser: 鄭錦楸, 郭文中 教授 Reporter: 林彥宏
2
多媒體網路安全實驗室 Introduction 1 Variations of Computational Diffie-Hellman Problem 2 Variations of Decisional Diffie-Hellman problem 33 Conclusions 44 2
3
多媒體網路安全實驗室 Introduction The Diffie-Hellman problem is a golden mine for cryptographic purposes. matching Diffie-Hellman problem, decisional Diffie- Hellman problem, Gap- Diffie-Hellman problem This paper studies various computational and decisional problems related to the Diffie-Hellman problems. A B: problem A reduces in polynomial time to another problem B 3
4
多媒體網路安全實驗室 Introduction If A polynomially reduces to B and there is a polynomial time algorithm for B, then there is a polynomial time algorithm for A also. Computational Diffie-Hellman problem(CDH): square, inverse and divisible Decisional Diffie-Hellman problem(DDH): square, inverse and divisible all variations of computational Diffie-Hellman problem are equivalent to the classic computational Diffie-Hellman problem all variations of decisional Diffie-Hellman problem are equivalent except for the argument DDH SDDH 4
5
多媒體網路安全實驗室 p be a large prime number discrete logarithm problem defined in Z p * is hard G ∈ Z p * be a cyclic group of prime order q g is assumed to be a generator of G (is prime order) security parameters p, q are defined as the fixed form p=2q+1 and ord(g)=q 5
6
多媒體網路安全實驗室 Computational Diffie-Hellman problem (CDH): On input g, g x, g y, computing g xy. An algorithm that solves the computational Diffie- Hellman problem is a probabilistic polynomial time Turing machine, on input g, g x, g y, outputs g xy with non-negligible probability. Computational Diffie-Hellman assumption means that there is no such a probabilistic polynomial time Turing machine. 6
7
多媒體網路安全實驗室 Square computational Diffie-Hellman problem (SCDH): On input g, g x, computing g (x 2 ). SCDH assumption: no a probabilistic polynomial time Turing machine. SCDH assumption and CDH assumption are equivalent. SCDH CDH given an oracle A 1, on input g, g x, g y, outputs g xy exist an algorithm A 2, on input g x, outputs g (x 2 ) u := g r, choose t 1, t 2 ∈ Z q at random, and compute u 1 = u t 1 = g rt 1, and u 2 = u t 2 = g rt 2. we are able to compute v = A 1 (u 1 ; u 2 )= g r 2 t 1 t 2 with non- negligible probability. 7
8
多媒體網路安全實驗室 CDH SCDH given an oracle A 2, on input g, g x, outputs g (x 2 ) exist an algorithm A 1, on input g, g x, g y, outputs g xy given g x, we choose s 1, s 2, t 1, t 2 ∈ Z q at random compute v 1 := A 2 (g xs 1 ) =g (xs 1 2 ), v 2 := A 2 ((g y ) s 2 )=g (ys 2 2 ) we compute v 3 := A 2 ( g xs 1 t 1 +ys 2 t 2 ) = g ((xs 1 t 1 +ys 2 t 2 ) 2 ) s 1, s 2, t 1, t 2 are known already, it follows that g xy can be computed from v 1, v 2, v 3, s 1, s 2, t 1, t 2 immediately with same advantage. CDH SCDH 8
9
多媒體網路安全實驗室 Inverse computational Diffie-Hellman problem (InvCDH): On input g, g x, outputs g (x -1 ). InvCDH assumption: no a probabilistic polynomial time Turing machine. InvCDH assumption and SCDH assumption are equivalent. InvCDH SCDH given an oracle A 2, on input g, g x, outputs g (x 2 ) exist an algorithm A 3, on input g x, outputs g (x -1 ) given a random value g r, we set h 1 ←g r and h 2 ←g input (h 1, h 2 ) to the oracle A 2 to obtain A 2 (h 1, h 2 )=(g r -1 ) r 2, g r -1 A 2 (g r, (g r -1 ) r )=(g r -1 ) r 2 9
10
多媒體網路安全實驗室 SCDH InvCDH given an oracle A 3, on input g, g x, outputs g (x -1 ) exist an algorithm A 2, on input g, g x, outputs g (x 2 ) given a random value g, g r, we set h 1 ←g r and h 2 ←g input (h 1, h 2 ) to the oracle A 3 to obtain A 3 (h 1, h 2 )= A 3 (g r, (g r ) r -1 )= (g r ) (r -1 ) -1 =g r 2 It follows that g r 2 can be computed from A 3 with the same advantage. 10
11
多媒體網路安全實驗室 Divisible computation Diffie-Hellman problem (DCDH problem): On random input g, g x, g y, computing g y/ x. We refer this oracle to as divisional computation Diffie- Hellman problem. DCDH assumption: no a probabilistic polynomial time Turing machine. DCDH assumption and CDH assumption are equivalent 11
12
多媒體網路安全實驗室 CDH DCDH given an oracle A 4, on input g, g x, g y outputs g y/ x exist an algorithm A 1, on input g x, g y outputs g xy given g, g x, g y, choose s 1, s 2, t 1, t 2 ∈ Z q at random compute v 1 := A 4 (g, (g x ) s 1, g s 2 ) = g xs 1 /s 2, v 2 := A 4 (g, g t 1, (g y ) t 2 ) = g (yt 2 )/t 1 Finally, we compute v := A 3 (v 1, v 2 ) = g (xys 1 t 2 )/(s 2 t 1 ) Since s 1, s 2, t 1, t 2 are known already, it follows that g xy can be computed from v, s 1, s 2, t 1, t 2 immediately with same advantage. 12
13
多媒體網路安全實驗室 DCDH CDH given an oracle A 1, on input g, g x, g y outputs g xy exist an algorithm A 4, on input g, g x, g y outputs g y/x given g, g x, g y construct an InvCDH oracle A 3, input (g, g y ) to A 3 to We prove the fact t obtain v:=g (y -1 ) Input (g, g x, v) to A 1 to obtain g x/y We prove the fact that if the underlying group with prime order q, all variations of computational Diffie- Hellman problem are equivalent: CDH SCDH InvCDH DCDH 13
14
多媒體網路安全實驗室 Decisional Diffie-Hellman assumption(DDH): Let G be a large cyclic group of prime order q. We consider the following two distributions: given a Diffie-Hellman quadruple g, g x, g y and g xy, where x, y ∈ Z q, are random strings chosen uniformly at random given a random quadruple g, g x, g y and g r, where x, y, r ∈ Z q, are random strings chosen uniformly at random. An algorithm that solves the Decisional Diffie-Hellman problem is a statistical test that can efficiently distinguish these two distributions DDH assumption: no such a polynomial statistical test 14
15
多媒體網路安全實驗室 Square decisional Diffie-Hellman assumption(SDDH): Given a square Diffie-Hellman triple g, g x and g x 2, where x ∈ Z q, is a random string chosen uniformly at random; Given a random triple g, g x and g r, where x, r ∈ Z q, are two random strings chosen uniformly at random. SDDH assumption: no such a polynomial statistical test. Inverse decisional Diffie-Hellman assumption(InvDDH): Given a inverse Diffie-Hellman triple g, g x and g x -1, where x ∈ Z q, is a random string chosen uniformly at random; Given a random triple g, g x and g r, where x, r ∈ Z q, are two random strings chosen uniformly at random. InvDDH assumption: no such a polynomial statistical test. 15
16
多媒體網路安全實驗室 Divisible decisional Diffie-Hellman assumption(DDDH): Given a divisible Diffie-Hellman quadruple g, g x, g y and g x/y, where x, y ∈ Z q, are random strings chosen uniformly at random; Given a random quadruple g, g x, g y and g r, where x, r, y ∈ Z q, are random strings chosen uniformly at random. DDDH assumption: no such a polynomial statistical test. Relations among variations of decisional Diffie-Hellman assumption 16
17
多媒體網路安全實驗室 InvDDH SDDH Given a distinguisher D 1 which is able to tell SDDH triple from a random triple with non-negligible probability exists a polynomial distinguisher D 2 which is able to tell InvDDH triple from a random triple with non-negligible advantage. given g, g x and g r, where r is either x -1 or a random string setting h 1 ←(g r ) s, h 2 ←g s, h 3 ←(g x ) s 2, where s ∈ Z q if r=x -1, then h 1 =(g x -1 ) s, and h 2 =(g x -1 ) sx, and h 3 =(g x -1 ) s 2 x 2 if r is a random triple, then (h 1, h 2, h 3 ) is also a random triple Input (h 1, h 2, h 3 ) to oracle D 1 to obtain correct value b ∈ {0,1} b=0, if the answer of D 1 is SDDH triple, and 1 otherwise 17
18
多媒體網路安全實驗室 SDDH InvDDH Given a distinguisher D 2 which is able to tell InvDDH triple from a random triple with non-negligible advantage. exists a distinguisher D 1 which is able to tell SDDH triple from a random triple with non-negligible probability given g, g x, g r where either r=x 2 or r ∈ Z q a random string setting h 1 ←g x, h 2 ←(g r ) s and h 3 ←g s -1 if r=x 2, then h 1 =g x, h 2 =(g x ) xs and h 3 =(g x ) (xs) -1 if r is a random triple, then (h 1, h 2, h 3 ) is also a random triple Input (h 1, h 2, h 3 ) to oracle D 2 to obtain correct value b ∈ {0,1} b=0, if the answer of D 2 is InvDDH triple, and 1 otherwise 18
19
多媒體網路安全實驗室 DDDH DDH Given (g, g x, g y, g x/y ), one simply submits (g, g y, g x/y, g x ) to DDH to decide the divisible format of the quadruple DDH DDDH Given (g, g x, g y, g xy ), one queries DDDH with (g, g xy, g y, g x ) and return DDDH’s answer Therefore, we know the fact that DDDH DDH. 19
20
多媒體網路安全實驗室 SDDH DDH Given a distinguisher D, which is able to tell the standard decisional Diffie-Hellman triple from the random triple there exists a distinguisher D 1 that is able to tell the square decisional Diffie-Hellman triple from a random triple given a triple (g, g x, g z ), where g z is either of the form g y or g x 2 choose two strings s, t at random, compute u←(g x ) s, v←(g x ) t, w←(g z ) st if (g, g x, g z ) is square DH triple, then (g, u, v, w) is a DH quadruple input (g, u, v, w) to the distinguisher D to obtain correct value b ∈ {0,1} 20
21
多媒體網路安全實驗室 DDH SDDH Unfortunately, we are not able to show that DDH SDDH. This leaves an interesting research problem. Conjecture: Under the assumption of group structure of G, DDH is equivalent to SDDH. 21
22
多媒體網路安全實驗室 Polynomial samples setting generalized Decisional Diffie-Hellman assumption: for any k, the following distributions are indistinguishable: - The distribution R 2k of any random tuple (g 1,…, g k, u 1,…, u k ) ∈ G 2k, where g 1,…, g k, and u 1,…, u k are uniformly distributed in G 2k - The distribution D 2k of tuples (g 1,…, g k, u 1,…, u k ) ∈ G 2k, where g 1,…, g k are uniformly distributed in G k, and u 1 =g 1 r,…, u k =g k r for random r ∈ Z q chosen at random 22
23
多媒體網路安全實驗室 An algorithm that solves the generalized decisional Diffie-Hellman problem is a statistical test that can efficiently distinguish these two distributions. Generalized decisional Diffie-Hellman assumption: no polynomial statistical test DDH SDDH InvDDH DDDH 23
24
多媒體網路安全實驗室 Generalized square decisional Diffie-Hellman assumption (GSDDH): The distribution R 3k of any random tuple (g 1,…,g k, g 1 x 1,…, g k x k, u 1,…,u k ) ∈ G 3k, where g 1,…, g k, x 1,…, x k and u 1,…,u k are uniformly distributed in G 3k The distribution D 3k of tuples (g 1,…,g k, g 1 x 1,…, g k x k, u 1,…,u k ) ∈ G 3k, where g 1,…, g k, g 1 x 1,…,g k x k are uniformly distributed in G k while u 1 =g 1 x 1 2,…,u k =g k x k 2 for each x i uniformly distributed in Z q GSDDH assumption: no polynomial statistical test 24
25
多媒體網路安全實驗室 Generalized inverse decisional Diffie-Hellman assumption (GInvDDH): The distribution R 3k of any random tuple (g 1,…,g k, g 1 x 1,…, g k x k, u 1,…,u k ) ∈ G 3k, where g 1,…, g k, x 1,…, x k and u 1,…,u k are uniformly distributed in G 3k The distribution D 3k of tuples (g 1,…,g k, g 1 x1,…, g k xk, u 1,…,u k ) ∈ G 3k, where g 1,…, g k, g 1 x 1,…,g k x k are uniformly distributed in G k while u 1 =g 1 x 1 -1,…,u k =g k x k -1 for each x i uniformly distributed in Z q GInvDDH assumption: no polynomial statistical test 25
26
多媒體網路安全實驗室 6-DDH 4-DDH a machine M that can get a non-negligible advantage ε between D 4 and R 4 given any six-tuple (g 1, g 2, g 3, u 1, u 2, u 3 ), which comes from either R 6 or D 6 M’ runs M on the quadruple (g 1 g 2, g 3, u 1 u 2, u 3 ) and simply forwards the answer If the input comes from D 4 (D 6 respectively), it outputs 1 and 0 if the input tuple comes from R 4 (R 6 respectively). 26
27
多媒體網路安全實驗室 27
28
多媒體網路安全實驗室 4-DDH 6-DDH a machine M that can get a non-negligible advantage ε between D 6 and R 6 given quadruple (g 1, g 2, u 1, u 2 ) M’ runs M on the six-tuple (g 1, g 2, g 1 s g 2 t, u 1, u 2, u 1 s u 2 t ) for randomly chosen s and t in Z q, and forwards the answer 28
29
多媒體網路安全實驗室 29
30
多媒體網路安全實驗室 Conclusions We have studied the relationship among variations of Diffie-Hellman problem including the computational and decisional cases with efficient reductions. We show that all four variations of computational Diffie-Hellman problem are equivalent if the order of a underlying cyclic group is large prime. We are able to show that all variations are equivalent except for the argument DDH SDDH, and thus leave an interesting open problem. 30
31
多媒體網路安全實驗室
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.