This paper proposes new protocols for two goals: authenticated key agreement and authenticated key agreement with key confirmation in the asymmetric (public-key) setting. A formal

Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical instantiation with the Diffie-Hellman problems. Then, we see how the gap problems find natural applications in cryptography, namely for proving the security of very efficient schemes, but also for solving a more than 10-year old open security problem: the Chaum’s undeniable signature.

The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional Diffie-Hellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to base a security proof on a weaker assumption, such as the Computational Diffie-Hellman assumption. Indeed, this cryptosystem in its most basic form is in fact insecure if the Decisional Diffie-Hellman assumption is false. In this paper we present a practical hybrid scheme that is just as efficient as the scheme of of Cramer and Shoup; we prove that the scheme is secure if the Decisional DiffieHellman assumption is true; we give strong evidence that the scheme is secure if the weaker, Computational Diffie-Hellman assumption is true by providing a proof of security in the random oracle model.

Abstract. For two years, public key encryption has become an essential topic in cryptography, namely with security against chosen-ciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor one-way function, in the random oracle model. More concretely, any suitable problem providing a one-way cryptosystem can be efficiently derived into a chosen-ciphertext secure encryption scheme. Indeed, the overhead only consists of two hashing and a XOR. As application, we provide the most efficient El Gamal encryption variant, therefore secure relative to the computational Diffie-Hellman problem. Furthermore, we present the first scheme whose security is relative to the factorization of large integers, with a perfect reduction (factorization is performed within the same time and with identical probability of success as the security break).

Abstract. This paper studies various computational and decisional Diffie-Hellman problems by providing reductions among them in the high granularity setting. We show that all three variations of computational Diffie-Hellman problem: square Diffie-Hellman problem, inverse Diffie-Hellman problem and divisible Diffie-Hellman problem, are equivalent with optimal reduction. Also, we are considering variations of the decisional Diffie-Hellman problem in single sample and polynomial samples settings, and we are able to show that all variations are equivalent except for the argument DDH ⇐ SDDH. We are not able to prove or disprove this statement, thus leave an interesting open problem. Keywords: Diffie-Hellman problem, Square Diffie-Hellman problem, Inverse Diffie-Hellman problem, Divisible Diffie-Hellman problem

The security of many cryptographic constructions relies on assumptions related to Discrete Logarithms (DL), e.g., the Di#e-Hellman, Square Exponent, Inverse Exponent or Representation Problem assumptions. In the concrete formalizations of these assumptions one has some degrees of freedom o#ered by parameters such as computational model, problem type (computational, decisional) or success probability of adversary. However, these parameters and their impact are often not properly considered or are simply overlooked in the existing literature.

We show that in applications that use the Diffie-Hellman (DH) transform but take care of hashing the DH output (as required, for example, for secure DH-based encryption and key exchange) the usual requirement to work over a DDH group (i.e., a group in which the Decisional Diffie-Hellman assumption holds) can be relaxed to only requiring that the DH group contains a large enough DDH subgroup. In particular, this implies the security of (hashed) Die-Hellman over non-prime order groups such as Z*_p. Moreover, our results show that one can work directly p without requiring any knowledge of the prime factorization of p-1 and without even having to find a generator of Z*_p. These results are obtained via a general characterization of DDH groups in terms of their DDH subgroups, and a relaxation (called t-DDH) of the DDH assumption via computational entropy. We also show that, under the short-exponent discretelog assumption, the security of the hashed Die-Hellman transform is preserved when replacing full exponents with short exponents.

This paper proposes three key agreement protocols that emphasize their security and performance. First, the two-pass authenticated key agreement (AK) protocol is presented in the asymmetric setting, which is based on Die-Hellman key agreement working over an elliptic curve group and provides more desirable security attributes than the MTI/A0, two-pass Unified Model and two-pass MQV protocols. Other two protocols are modifications of this protocol: the three-pass authenticated key agreement with key confirmation (AKC) protocol which uses message authentication code (MAC) algorithms for key confirmation, and the two-pass authenticated key agreement protocol with unilateral key confirmation which uses the MAC and the signature.

Abstract. A family of pseudorandom generators based on the decisional Diffie-Hellman assumption is proposed. The new construction is a modified and generalized version of the Dual Elliptic Curve generator proposed by Barker and Kelsey. Although the original Dual Elliptic Curve generator is shown to be insecure, the modified version is provably secure and very efficient in comparison with the other pseudorandom generators based on discrete log assumptions. Our generator can be based on any group of prime order provided that an additional requirement is met (i.e., there exists an efficiently computable function that in some sense enumerates the elements of the group). Two specific instances are presented. The techniques used to design the instances, for example, the new probabilistic randomness extractor are of independent interest for other applications. 1

Given a cyclic group G and a generator g, the Diffie-Hellman function (DH) maps two group elements (g a ; g b ) to g ab . For many groups G this function is assumed to be hard to compute. We generalize this function to the P -Diffie-Hellman function (P-DH) that maps two group elements (g a ; g b ) to g P (a;b) for a (non-linear) polynomial P in a and b.