Citation Context

... for discrete log to be hard in G1 we must choose our security parameter so that discrete log is hard in G2 (see Section 5). Decision Diffie-Hellman is Easy: The Decision Diffie-Hellman problem (DDH) =-=[4]-=- in G1 is to distinguish between the distributions 〈P, aP, bP, abP 〉 and 〈P, aP, bP, cP 〉 where a, b, c are random in Z∗ q and P is random in G∗ 1 . Joux and Nguyen [28] point out that DDH in G1 is ea...

Citation Context

..., to use generic, randomly generated elliptic curves; indeed, for another special class of elliptic curves, the DL assumption is false [Sma99]. We refer the reader to two excellent surveys [MW00] and =-=[Bon98]-=-. The latter focuses exclusively on the DDH assumption, while the former discusses both the CDH and DDH assumptions. Also see [Sho97], where it is shown that the DDH is hard in a “generic” model of co...

Citation Context

...ted from any one-way function. In section 4 we give a practical construction of a pseudonym system based on standard number-theoretic assumptions and the hardness of a new Diffie-Hellman-like problem =-=[15,3]-=- which we prove hard with respect to generic group algorithms. Our construction is easily implementable. Moreover, the secret key that motivates the user not to share his identity is usable in many ex...

Citation Context

...aphic literature in the paper of Steiner et al. [31] which also proves that the DDH assumption implies the GDDH assumption. Since then, the G-DDH has been used in several other cryptographic settings =-=[12, 25]-=-. The G-CDH assumption is a potentially weaker intractability assumption than G-DDH. It is also believed that the CDH assumption implies the G-CDH assumption but it has not yet been proved. The G-CDH ...

Citation Context

...H(A) = | Pr[A(XR) = 1] − Pr[A(XD) = 1]|. The DDH assumption is that this advantage is negligible for all efficient algorithms. The DDH problem is “random self-reducible” (see [Sta96] and [NR97]). See =-=[Bon98]-=- and [NR97] for further discussion of the DDH. 14.3 The Gap-CDH Problem The submitters of the PSEC scheme have proposed a new computational assumption, called the gap-CDH assumption. This is the assum...

Citation Context

...ific numbertheoretic problems. 2 We also note that while NIZK proofs for certain lattice problems are known [48], they do not appear to suffice for CCA security. 3the decisional Diffie-Hellman (DDH) =-=[13]-=- and decisional composite residuosity [45] problems. However, the NIZK approach has two significant drawbacks. First, the constructions from general assumptions are inefficient, as they are inherently...

Citation Context

...not exist at all. 5 Fig. 3 presents a simplified version of the protocol. The complete protocol is followed by a key confirmation and a key derivation based on the leftover hash lemma [24] (see Boneh =-=[11]-=-).sAlice Bob pick xA ∈U {0,...,|G| − 1} pick xB ∈U {0,...,|G| − 1} yA ← g xA yB ← g xB hA ← H1(yA) SASA ← H2(yA) hA −−−−−−−−−−−−−−−−→ hB ←−−−−−−−−−−−−−−−− hB ← H1(yB) authenticateAlice(SASA) −−−−−−−−−...