## The gap-problems: a new class of problems for the security of cryptographic schemes (1992)

### Cached

### Download Links

- [www.di.ens.fr]
- [www.di.ens.fr]
- [www.mathmagic.cn]
- DBLP

### Other Repositories/Bibliography

Venue: | Proceedings of PKC 2001, volume 1992 of LNCS |

Citations: | 130 - 11 self |

### BibTeX

@INPROCEEDINGS{Okamoto92thegap-problems:,

author = {Tatsuaki Okamoto and David Pointcheval},

title = {The gap-problems: a new class of problems for the security of cryptographic schemes},

booktitle = {Proceedings of PKC 2001, volume 1992 of LNCS},

year = {1992},

pages = {104--118},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. This paper introduces a novel class of computational problems, the gap problems, which can be considered as a dual to the class of the decision problems. We show the relationship among inverting problems, decision problems and gap problems. These problems find a nice and rich practical instantiation with the Diffie-Hellman problems. Then, we see how the gap problems find natural applications in cryptography, namely for proving the security of very efficient schemes, but also for solving a more than 10-year old open security problem: the Chaum’s undeniable signature.

### Citations

3152 | A Method for Obtaining Digital Signatures and Public-Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...der a reasonable computational assumption. A typical reasonable computational assumption is the intractability of an inverting problem such as factoring a composite number, inverting the RSA function =-=[33]-=-, computing the discrete logarithm problem, and computing the Diffie-Hellman problem [12]. Here, an inverting problem is, given a problem, x, and relation f, to find its solution, y, such that f(x, y)... |

2924 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...is the intractability of an inverting problem such as factoring a composite number, inverting the RSA function [33], computing the discrete logarithm problem, and computing the Diffie-Hellman problem =-=[12]-=-. Here, an inverting problem is, given a problem, x, and relation f, to find its solution, y, such that f(x, y) =1. Another type of reasonable computational assumptions is the intractability of a deci... |

1417 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...whose security proof has been an open problem for more than 10 years. We will prove that the full-domain hash [3] variant of this scheme is secure under the Gap-DH problem, in the random oracle model =-=[2]-=-. Definition. First, we just define informally an undeniable signature scheme. For more details, the reader is referred to the original papers [9,7]. An undeniable signature scheme consists of 3 algor... |

862 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...p-problem, whereas it was just known weaker than the computational version. 4.1 Signatures An important tool in cryptography is the authentication of messages. It is provided using digital signatures =-=[17]-=-. The basic property of a signature scheme, from the verifier point of view, is the easy verification of the relation between a message and the signature, whereas it should be intractable for anybody,... |

762 |
Elliptic curve cryptosystems
- Koblitz
(Show Context)
Citation Context ...h(·) =⋆-DH(g, h, ·). About the inverting problem, it is believed intractable in many groups (prime subgroups of the multiplicative groups Z⋆ n or Z⋆ p [18,23], prime subgroups of some elliptic curves =-=[20]-=-, or of some Jacobians of hyper-elliptic curves [21,22]). The decision problem is also believed so in many cases. For example, in generic groups, where only generic algorithms [28] can be used, becaus... |

618 |
Efficient Signature Generation for Smart Cards
- Schnorr
(Show Context)
Citation Context ...mal encryption scheme [13]). Let us first give a quick definition of this new cryptographic object together with the security notions. Then we study the Okamoto’s example, using the Schnorr signature =-=[34]-=-, in the random oracle model. Definition. As for undeniable signatures, we just give an informal definition of designated confirmer signatures. For more details, the reader is referred to [8]. A desig... |

524 |
Group signatures
- Chaum, Heyst
- 1991
(Show Context)
Citation Context ... flaw, we have realized that the existing computational assumptions (or primitive problems) are not sufficient to prove the security of these schemes. For example, Chaum’s undeniable signature scheme =-=[9,7]-=- based on the discrete logarithm is the most typical scheme to realize an undeniable signature scheme and is often used for cryptographic K. Kim (Ed.): PKC 2001, LNCS 1992, pp. 104–118, 2001. c○ Sprin... |

476 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ...ch as the decision Diffie-Hellman problem. Such a decision problem is especially useful to prove the semantical security of a public-key encryption (e.g., El Gamal and Cramer-Shoup encryption schemes =-=[13,11]-=-). Although we have several types of decision problems, a typical decision problem is, given (x, y) and f, to decide whether the pair (x, y) satisfies f(x, y) =1or not. Another typical example of deci... |

352 | The exact security of digital signatures - How to sign with RSA and Rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ... seen as a decision oracle. Let us study the first example of undeniable signatures [9,7] whose security proof has been an open problem for more than 10 years. We will prove that the full-domain hash =-=[3]-=- variant of this scheme is secure under the Gap-DH problem, in the random oracle model [2]. Definition. First, we just define informally an undeniable signature scheme. For more details, the reader is... |

332 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...ch as the decision Diffie-Hellman problem. Such a decision problem is especially useful to prove the semantical security of a public-key encryption (e.g., El Gamal and Cramer-Shoup encryption schemes =-=[13,11]-=-). Although we have several types of decision problems, a typical decision problem is, given (x, y) and f, to decide whether the pair (x, y) satisfies f(x, y) =1or not. Another typical example of deci... |

299 | Security Arguments for Digital Signatures and Blind Signatures
- Pointcheval, Stern
(Show Context)
Citation Context ...ch completes a valid signature (d, e, s). Therefore, the security of this designated confirmer signature scheme is weaker than the G-DHb,g problem. In the opposite way, one can use a replay technique =-=[32]-=-. Let us consider an adversary that is able to produce an existential forgery with probability ε within time t after qs queries to the signing oracle and qh queries to the random oracle H, where g is ... |

232 | Lower bounds for discrete logarithms and related problems
- Shoup
(Show Context)
Citation Context ...uivalent, and furthermore in each, one of the directions is trivial, since any strongly tractable problem is a fortiori tractable. For the remaining direction, one can simply use Shoup’s construction =-=[35]-=- to obtain the result. ⊓⊔ Corollary 5. Let f and R be any relations. Let us assume that both the inverting problem of f and the R-decision problem of f are random self-reducible. – If the R-gap proble... |

205 |
A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves
- Frey, Ruck
- 1994
(Show Context)
Citation Context ...m is a reasonable assumption. However, because of some dual properties in Abelian varieties, the decision Diffie-Hellman problem is easy over the Jacobians of some (hyper)-elliptic curves: namely, in =-=[16]-=-, it has been stated the following result Proposition 8. Let m be an integer relatively prime to q, and let µm(Fq) be the group of roots of unity in Fq whose order divides m. We furthermore assume tha... |

156 |
Hyperelliptic cryptosystems
- Koblitz
- 1989
(Show Context)
Citation Context ... is believed intractable in many groups (prime subgroups of the multiplicative groups Z⋆ n or Z⋆ p [18,23], prime subgroups of some elliptic curves [20], or of some Jacobians of hyper-elliptic curves =-=[21,22]-=-). The decision problem is also believed so in many cases. For example, in generic groups, where only generic algorithms [28] can be used, because of a non-manageable numeration, the discrete logarith... |

144 | Designated verifier proofs and their applications
- Jakobsson, Sako, et al.
- 1996
(Show Context)
Citation Context ...cure. Moreover, to make the analysis easier, we replace the zero-knowledge interactive proof by a noninteractive but non-transferable proof. There are well-known techniques using trapdoor commitments =-=[19]-=- which are perfectly simulatable in the random oracle model [31]. Therefore, we analyze the following variant. – Setting: g is a generator of a group G of prime order q. The secret key of the signer i... |

143 | An efficient off-line electronic cash system based on the representation problem
- Brands
- 1993
(Show Context)
Citation Context ...ing, ⊥. Let us see some examples for the relation, R1,R2,R3,R4: – R1(f, x, y) = 1 iff f(x, y) = 1, which formalizes the classical version of decision problems (cf. the Decision Diffie-Hellman problem =-=[4,26]-=-). – R2(f,x,⊥) = 1 iff there exists any z such that f(x, z) = 1, which simply answers whether the inverting problem has a solution or not. – R3(f,x,⊥) =1iffzis even, when z such that f(x, z) = 1 is un... |

138 |
RSA and Rabin Functions: Certain Parts are as Hard as the Whole
- Alexi, Chor, et al.
- 1988
(Show Context)
Citation Context ...r not. – R3(f,x,⊥) =1iffzis even, when z such that f(x, z) = 1 is uniquely defined. This latter example models the least-significant bit of the pre-image, which is used in many hard-core bit problems =-=[1,14]-=-. – R4(f,x,⊥) = 1 iff all the z such that f(x, z) = 1 are even. It is often the case that the inverting problem is strictly stronger than the Rdecision problem, namely for all the classical examples w... |

132 |
editors. The development of the number field sieve
- Lenstra, Lenstra
- 1993
(Show Context)
Citation Context ...nd one are fixed: ⋆-DHg(·) =⋆-DH(g, ·) and ⋆-DHg,h(·) =⋆-DH(g, h, ·). About the inverting problem, it is believed intractable in many groups (prime subgroups of the multiplicative groups Z⋆ n or Z⋆ p =-=[18,23]-=-, prime subgroups of some elliptic curves [20], or of some Jacobians of hyper-elliptic curves [21,22]). The decision problem is also believed so in many cases. For example, in generic groups, where on... |

122 | On the exact security of full domain hash
- Coron
- 2000
(Show Context)
Citation Context ...aphic Schemes 113 But we further slightly modify this scheme to prevent existential forgeries, namely by ruling out the basic multiplicative attacks: one uses the classical full-domain hash technique =-=[3,10]-=-. If this hash function is furthermore assumed to behave like a random oracle [2], this scheme can be proven secure. Moreover, to make the analysis easier, we replace the zero-knowledge interactive pr... |

85 |
Designated confirmer signatures
- Chaum
- 1995
(Show Context)
Citation Context ...David Pointcheval 4.2 Undeniable Signatures In undeniable signatures [9,7], contrarily to plain signatures, the verification process must be intractable without the help of the signer (or a confirmer =-=[8]-=-). And therefore, the confirmer (which can be the signer himself) can be seen as a decision oracle. Let us study the first example of undeniable signatures [9,7] whose security proof has been an open ... |

77 | REACT: Rapid enhanced-security asymmetric cryptosystem transform
- Okamoto, Pointcheval
- 2001
(Show Context)
Citation Context ...e considering a new kind of attacks, the plaintext-checking attacks, against publickey encryption scheme. And they help us to provide REACT, a Rapid Enhancedsecurity Asymmetric Cryptosystem Transform =-=[30]-=-, which makes into a chosenciphertext secure cryptosystem any weakly secure scheme. Other applications will certainly appear. Anyway, it is worth noting that it had been open for more than 10 years to... |

67 | Discrete logarithms in GF(p) using the number field sieve
- Gordon
- 1993
(Show Context)
Citation Context ...nd one are fixed: ⋆-DHg(·) =⋆-DH(g, ·) and ⋆-DHg,h(·) =⋆-DH(g, h, ·). About the inverting problem, it is believed intractable in many groups (prime subgroups of the multiplicative groups Z⋆ n or Z⋆ p =-=[18,23]-=-, prime subgroups of some elliptic curves [20], or of some Jacobians of hyper-elliptic curves [21,22]). The decision problem is also believed so in many cases. For example, in generic groups, where on... |

67 |
Complexity of a determinate algorithm for the discrete logarithm
- Nechaev
- 1994
(Show Context)
Citation Context ...ome elliptic curves [20], or of some Jacobians of hyper-elliptic curves [21,22]). The decision problem is also believed so in many cases. For example, in generic groups, where only generic algorithms =-=[28]-=- can be used, because of a non-manageable numeration, the discrete logarithm, the inverting Diffie-Hellman and the decision Diffie-Hellman problems have been proven to require the same amount of compu... |

58 | The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems
- Frey, Müller, et al.
- 1999
(Show Context)
Citation Context ...oints). This pairing, the so-called Tate-pairing, can be used to relate the discrete logarithm in the group Jm(Fq) to the discrete logarithm in F⋆ q,ifq− 1 is divisible by m. A particular application =-=[15]-=- is over an elliptic curve, with a trace of the Frobenius endomorphism congruent to 2 modulo m. Indeed, for example, with an elliptic curve J(Fq) =E of trace t = 2 and m =#E = q +1− t = q − 1, we have... |

46 |
A Family of Jacobians Suitable for Discrete Log Cryptosystems
- Koblitz
- 1988
(Show Context)
Citation Context ... is believed intractable in many groups (prime subgroups of the multiplicative groups Z⋆ n or Z⋆ p [18,23], prime subgroups of some elliptic curves [20], or of some Jacobians of hyper-elliptic curves =-=[21,22]-=-). The decision problem is also believed so in many cases. For example, in generic groups, where only generic algorithms [28] can be used, because of a non-manageable numeration, the discrete logarith... |

33 |
Designated Confirmer Signatures and Public Key Encryption Are Equivalent
- Okamoto
- 1994
(Show Context)
Citation Context ...ew kind of undeniable signatures where the signer is not required to confirm the signature, but a designated confirmer, who owns a secret. Furthermore, he proposed a candidate. The same year, Okamoto =-=[29]-=- proved that the existence of such schemes is equivalent to the existence of public-key encryption schemes. He furthermore gave an example, based on the Diffie-Hellman problem [12] (on which relies th... |

31 |
Stronger Security Proofs for RSA and Rabin Bits
- Fischlin, Schnorr
- 2000
(Show Context)
Citation Context ...r not. – R3(f,x,⊥) =1iffzis even, when z such that f(x, z) = 1 is uniquely defined. This latter example models the least-significant bit of the pre-image, which is used in many hard-core bit problems =-=[1,14]-=-. – R4(f,x,⊥) = 1 iff all the z such that f(x, z) = 1 are even. It is often the case that the inverting problem is strictly stronger than the Rdecision problem, namely for all the classical examples w... |

27 | The Diffie-Hellman protocol
- Maurer, Wolf
(Show Context)
Citation Context ...ing, ⊥. Let us see some examples for the relation, R1,R2,R3,R4: – R1(f, x, y) = 1 iff f(x, y) = 1, which formalizes the classical version of decision problems (cf. the Decision Diffie-Hellman problem =-=[4,26]-=-). – R2(f,x,⊥) = 1 iff there exists any z such that f(x, z) = 1, which simply answers whether the inverting problem has a solution or not. – R3(f,x,⊥) =1iffzis even, when z such that f(x, z) = 1 is un... |

24 | Generic Constructions for Secure and Efficient Confirmer Signature Schemes
- Michels, Stadler
- 1998
(Show Context)
Citation Context ...help for the confirmer, in forging a certificate. Description. Let us describe the original Okamoto’s example [29], using the Schnorr signature [34]. Because of a flaw remarked by Michels and Stadler =-=[27]-=-, one cannot prove the security of this scheme against attacks performed by the confirmer. Then we focus on standard adversaries. – Setting: g is a generator of a group G of prime order q. The secret ... |

23 | Off-Line Electronic Cash Based on Secret-Key Certificates
- BRANDS
- 1995
(Show Context)
Citation Context ...01, LNCS 1992, pp. 104–118, 2001. c○ Springer-Verlag Berlin Heidelberg 2001sA New Class of Problems for the Security of Cryptographic Schemes 105 protocols (e.g., Brands’ restrictive blind signatures =-=[6,5]-=-), however, we cannot prove the security of Chaum’s undeniable signature scheme under any existing computational assumption. That is, we have realized that a new family of computational assumptions (o... |

18 |
The Development of the Number Field Sieve, Volume 1554
- LENSTRA, LENSTRA
- 1993
(Show Context)
Citation Context ...nd one are fixed: ⋆-DHg(·) = ⋆-DH(g, ·) and ⋆-DHg,h(·) = ⋆-DH(g, h, ·). About the inverting problem, it is believed intractable in many groups (prime subgroups of the multiplicative groupss⋆ n ors⋆ p =-=[18, 23]-=-, prime subgroups of some elliptic curves [20], or of some Jacobians of hyper-elliptic curves [21, 22]). The decision problem is also believed so in many cases. For example, in generic groups, where o... |

17 |
Self-Scrambling Anonymizers
- Pointcheval
- 2001
(Show Context)
Citation Context ...-knowledge interactive proof by a noninteractive but non-transferable proof. There are well-known techniques using trapdoor commitments [19] which are perfectly simulatable in the random oracle model =-=[31]-=-. Therefore, we analyze the following variant. – Setting: g is a generator of a group G of prime order q. The secret key of the signer is a random element x ∈ Zq while his public key is y = g x .We fu... |

14 |
Die-Hellman oracles
- Maurer, Wolf
(Show Context)
Citation Context ... decision Diffie-Hellman problems have been proven to require the same amount of computation [35]. However, no polynomial time reduction has ever been proposed, excepted in groups with a smooth order =-=[24,25,26]-=-. Therefore, in all these groups used in cryptography, intractability of the gap problem is a reasonable assumption. However, because of some dual properties in Abelian varieties, the decision Diffie-... |

6 |
Decision Diffie-Hellman, and discrete logarithms
- Diffie-Hellman
- 1998
(Show Context)
Citation Context ... decision Diffie-Hellman problems have been proven to require the same amount of computation [35]. However, no polynomial time reduction has ever been proposed, excepted in groups with a smooth order =-=[24,25,26]-=-. Therefore, in all these groups used in cryptography, intractability of the gap problem is a reasonable assumption. However, because of some dual properties in Abelian varieties, the decision Diffie-... |

3 | Secret-key certificates
- Brands
- 1995
(Show Context)
Citation Context ...01, LNCS 1992, pp. 104–118, 2001. c○ Springer-Verlag Berlin Heidelberg 2001sA New Class of Problems for the Security of Cryptographic Schemes 105 protocols (e.g., Brands’ restrictive blind signatures =-=[6,5]-=-), however, we cannot prove the security of Chaum’s undeniable signature scheme under any existing computational assumption. That is, we have realized that a new family of computational assumptions (o... |