1. Towards a Classification of Non-interactive Computational Assumptions in Cyclic Groups
Essam Ghadafi University of the West of England Jens Groth University College London
TexPoint fonts used in EMF.
Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

2. Prime order cyclic group
Group generator 𝐺,𝑔 ←Gen( 1 𝜆 )
Group 𝐺 of known prime order 𝑝
Uniformly random generator 𝑔 such that 𝐺=〈𝑔〉
Efficiently computable group operations
Generic group model
Adversary restricted to group operations and equality testing

3. Computational problems in cyclic groups
For now, just single cyclic group 𝐺,𝑔 of prime order 𝑝. Later, bilinear groups with pairings ( 𝐺 1 , 𝐺 2 , 𝐺 𝑇 , 𝑔 1 , 𝑔 2 ,𝑒).
Discrete Logarithm
Given 𝑔, 𝑔 𝑥 compute 𝑥
Computational Diffie-Hellman
Given 𝑔, 𝑔 𝑎 , 𝑔 𝑏 compute 𝑔 𝑎𝑏
Generalized Diffie-Hellman Exponent
Given 𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞−1 , 𝑔 𝑥 𝑞+1 ,…, 𝑔 𝑥 2𝑞 compute 𝑔 𝑥 𝑞
Strong Diffie-Hellman
Given 𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞 output 𝑐, 𝑔 1 𝑥+𝑐

4. Non-interactive computational assumptions
Generic group model
? ? ?
Computational Diffie-Hellman (CDH)
Discrete logarithm (DL)

5. Non-interactive computational assumptions
Generic group model
𝑞-GDHE & 𝑞-SFrac
Fractional assumptions
𝑞-GDHE
𝑞-SFrac
Polynomial assumptions
Computational Diffie-Hellman (CDH)
Discrete logarithm problem (DL)

6. Non-interactive computational assumption
Accept: 𝑏=1 Reject: 𝑏=0
PPT instance generator
𝑝𝑢𝑏,𝑝𝑟𝑖𝑣 ←𝐼 1 𝜆
DPT solution verifier
𝑏←𝑉(𝑝𝑢𝑏,𝑝𝑟𝑖𝑣,𝑠𝑜𝑙)
Definition
The non-interactive computational assumption (𝐼,𝑉) holds if for all PPT adversaries 𝐴
Pr 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣 ←𝐼 1 𝜆 ;𝑠𝑜𝑙←𝐴(𝑝𝑢𝑏) 𝑉 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣,𝑠𝑜𝑙 =1 ≈0

7. (𝑑,𝑚,𝑛)-target assumption
Say assumption is simple if 𝑏 𝑖 𝑋 =0
(𝑑,𝑚,𝑛)-target assumption
𝑚-variate polynomials of total degree 𝑑 or less
CDH assumption
1 1 , 𝑋 1 1 , 𝑋 ← 𝐼 𝑐𝑜𝑟𝑒 𝐺
𝑉 𝑐𝑜𝑟𝑒 , 𝑋 1 1 , 𝑋 2 1 , 𝑟 𝑋 𝑠 𝑋 ,𝑦
checks 𝑟( 𝑋 ) 𝑠( 𝑋 ) = X 1 X 2
𝑞-SDH assumption
1 1 , 𝑋 1 ,…, 𝑋 𝑞 1 ← 𝐼 𝑐𝑜𝑟𝑒 𝐺
𝑉 𝑐𝑜𝑟𝑒 , 𝑋 1 ,…, 𝑋 𝑞 1 , 𝑟 𝑋 𝑠 𝑋 ,𝑦
checks 𝑟( 𝑋 ) 𝑠( 𝑋 ) = 1 𝑋+𝑐
Say assumption is univariate if 𝑚=1
𝑝𝑢𝑏,𝑝𝑟𝑖𝑣 ←𝐼 1 𝜆
𝐺,𝑔 ←Gen 1 𝜆
𝑎 1 𝑋 𝑏 1 ( 𝑋 ) ,…, 𝑎 𝑛 ( 𝑋 ) 𝑏 𝑛 ( 𝑋 ) ,𝑝𝑢 𝑏 ′ ,𝑝𝑟𝑖 𝑣 ′ ← 𝐼 𝑐𝑜𝑟𝑒 𝐺
𝑥 ← 𝒁 𝑝 𝑚 (such that all 𝑏 𝑖 𝑥 ≠0)
𝑝𝑢𝑏= 𝐺, 𝑔 𝑎 1 𝑥 𝑏 1 𝑥 ,…, 𝑔 𝑎 𝑛 𝑥 𝑏 𝑛 𝑥 , 𝑎 1 𝑋 𝑏 1 𝑋 ,…, 𝑎 𝑛 𝑋 𝑏 𝑛 𝑋 ,𝑝𝑢 𝑏 ′ ; 𝑝𝑟𝑖𝑣=(𝑔, 𝑥 ,𝑝𝑟𝑖 𝑣 ′ )
𝑏←𝑉 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣,𝑠𝑜𝑙= 𝑟 𝑋 𝑠 𝑋 ,𝑦,𝑠𝑜 𝑙 ′
Check 𝑟( 𝑋 ) 𝑠( 𝑋 ) ∉span 𝑎 1 𝑋 𝑏 1 𝑋 ,…, 𝑎 𝑛 𝑋 𝑏 𝑛 𝑋 as formal polynomials
Check 𝑦= 𝑔 𝑟 𝑥 𝑠 𝑥 and check 𝑉 𝑐𝑜𝑟𝑒 𝑝𝑢𝑏,𝑝𝑟𝑖𝑣,𝑠𝑜𝑙 =1
Ensures generic adversary cannot break assumption
Say assumption is polynomial if 𝑠 𝑋 =1
Say assumption is fractional if 𝑠 𝑋 ⫮ 𝑟 𝑋
Adversary’s target

8. Hierarchy of target assumptions
GDHE & SFrac
Polynomial & Fractional
Univariate simple target
Simple target assumptions
Target assumptions

9. Uber assumptions Generalized Diffie-Hellman Exponent (𝑞-GDHE)
Given 𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞−1 , 𝑔 𝑥 𝑞+1 ,…, 𝑔 𝑥 2𝑞 hard to compute 𝑔 𝑥 𝑞
Simple Fractional (𝑞-SFrac)
Given 𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞 hard to output 𝑟(𝑋) 𝑠(𝑋) , 𝑔 𝑟(𝑥) 𝑠(𝑥) with deg 𝑠 >deg⁡(𝑟)
The 𝑞-SDH problem: given (𝑔, 𝑔 𝑥 ,…, 𝑔 𝑥 𝑞 ) output 𝑐, 𝑔 1 𝑥+𝑐 is a special case of the q-SFrac problem with 𝑟 𝑋 =1 and 𝑠 𝑋 =𝑋+𝑐

10. Target assumption hierarchy⋮
3-GDHE & 3-SFrac
2-GDHE & 2-SFrac
1-GDHE & 1-SFrac
CDH

11. Structural analysis ⋮ ⋮ 3-GDHE 3-SFrac ⇓ ⇓ 2-GDHE ⟸ 2-SFrac ⇓ ⇓ 1-GDHE
Gftv#f8HJN FVDXZD\SA ⇓ ⇓
1-GDHE
1-SFrac ⇔ ⇓
CDH

12. Asymmetric bilinear groups
Bilinear group generator 𝐺 1 , 𝐺 2 , 𝐺 𝑇 , 𝑔 1 , 𝑔 2 ←BGen( 1 𝜆 )
Groups 𝐺 1 , 𝐺 2 , 𝐺 𝑇 of known prime order 𝑝
Efficiently computable group operations in 𝐺 1 , 𝐺 2 , 𝐺 𝑇
Efficiently computable bilinear map 𝑒: 𝐺 1 × 𝐺 2 → 𝐺 𝑇
𝑒 𝑔 1 𝑎 , 𝑔 2 𝑏 =𝑒 𝑔 1 , 𝑔 2 𝑎𝑏
Random generators 𝑔 1 , 𝑔 2 such that 𝐺 1 = 𝑔 1 , 𝐺 2 =〈 𝑔 2 〉
Defining 𝑔 𝑇 =𝑒( 𝑔 1 , 𝑔 2 ) we have 𝐺 𝑇 =〈 𝑔 𝑇 〉
Asymmetric (type III) setting where 𝐺 1 ≠ 𝐺 2

13. Bilinear target assumption stratification for 𝜶∈{𝟏,𝟐} 𝜶=𝑻⋮ ⋮
2-BGDHE & 2-BSFrac
2-BGap & 2-BSFrac
1-BGDHE & 1-BSFrac
1-BGap & 1-BSFrac
CDH
CDH

14. Open problems Prove or disprove the conjecture 𝑞-GDHE ⇒ 1-SDH
Find structure in the SFrac assumptions
Simplify the 𝑞-BGap assumptions
Tightness
Analyze assumptions where the goal is to output set group of elements 𝑦 1 ,…, 𝑦 ℓ with some relationship to each other
Analyze interactive assumptions

15. Conclusions Cryptographers Cryptanalysts
Most non-interactive computational assumptions in use are implied by the GDHE & SFrac assumptions
All non-fractional assumptions are implied by GDHE, giving us a “canary in the coal mine” barrier
Cryptanalysts
The GDHE and SFrac assumptions are the easiest targets to attack
Do not try to break discrete log, attack the “canary in the coal mine” assumptions first