## The Decision Diffie-Hellman Problem (1998)

### Cached

### Download Links

- [crypto.stanford.edu]
- [www.stanford.edu]
- [crypto.stanford.edu]
- [crypto.stanford.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 217 - 6 self |

### BibTeX

@INPROCEEDINGS{Boneh98thedecision,

author = {Dan Boneh},

title = {The Decision Diffie-Hellman Problem},

booktitle = {},

year = {1998},

pages = {48--63},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

The Decision Diffie-Hellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the Diffie-Hellman key exchange protocol [12]: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive eavesdropper, Eve, must compute the Diffie-Hellman function defined as: dh g (g a ; g b ) = g ab . We say that the group G satisfies the Computational Diffie-Hellman assumption (cdh) if no efficient algorithm can compute the function dh g (x; y) in G. Precise definitions are given in the next sectio...

### Citations

3092 | M.E.: New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...blems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the Diffie-Hellman key exchange protocol =-=[12]-=-: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive e... |

1271 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ... 1 x 2 : : : x n 2 f0; 1g n is defined by f p;g;~a (x) = g a 0 Q n i=1 a x i i The distribution on the seed s is induced by the random choice of ~a and the distribution induced on 2 Semantic security =-=[17]-=- is the standard security notion for an encryption scheme. It essentially says that any information about the plaintext an eavesdropper can obtain given the ciphertext, can also be obtained without th... |

783 | Factoring polynomials with rational coefficients. Mahematische Annalen 261
- Lenstra, Lenstra, et al.
- 1982
(Show Context)
Citation Context ...ts of g ab . Then there is also an expected polynomial time algorithm that given p; g; g a ; g b computes all of g ab . Proof Sketch The proof relies on lattice basis reductions and the LLL algorithm =-=[19]-=-. Given some g a and g b we wish to compute all of g ab . To do so, we pick one random r and apply A to the points g a+r ; g b+t for many random values of t. Consequently, we learn the most significan... |

774 | A pseudorandom generator from any one-way function
- Håstad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...hes to encrypt an n-bit string rather than a group element. This can be easily fixed using hashing. Suppose jGj ? 2 n . Then assuming ddh, the string g ab has at least n bits of computational entropy =-=[18]-=-. Note that the bit string representing g ab may be much longer. Hashing g ab to an m-bit string for some msn results in a bit-string indistinguishable from random. Encryption can be done by xoring th... |

681 |
How to Construct Random Functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...s. Such functions can be used as the basis of many cryptographic schemes including symmetric encryption, authentication [14] and digital signatures [1]. Prior to these results, existing constructions =-=[15, 23]-=- based on number theoretic primitives were by far less efficient. Pseudo random functions were first introduced by Goldreich, Goldwasser and Micali [15]. At a high level, a set F n of functions A n 7!... |

550 |
H.: Undeniable signatures
- Chaum, Antwerpen
- 1990
(Show Context)
Citation Context ...hey reveal no information about a. Bellare and Micali [2] use ddh to construct a non-interactive oblivious transfer protocol. Brands [5] pointed out that several suggestions for undeniable signatures =-=[8]-=- implicitly rely on ddh. Steiner, Tsudik and Waidner [32] show that ddh implies generalized--ddh. They consider a generalization of Diffie-Hellman enabling a group of parties to exchange a common secr... |

496 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...s n modular multiplications and one exponentiation. Note that we are assuming the order of G p is known. 4.3 A cryptosystem secure against adaptive chosen ciphertext attack Recently, Cramer and Shoup =-=[11]-=- presented a surprising application of ddh. They describe an efficient public key cryptosystem which is secure against adaptive chosen ciphertext attack. Security against such a powerful attack could ... |

477 | Non-malleable cryptography
- Dolev, Dwork, et al.
- 1991
(Show Context)
Citation Context ...icient public key cryptosystem which is secure against adaptive chosen ciphertext attack. Security against such a powerful attack could only be obtained previously by extremely inefficient techniques =-=[25, 27, 13]-=- relying on constructions for non-interactive zero-knowledge (efficient heuristic constructions are described in [33]). In light of this, it is remarkable that the ddh assumption is able to dramatical... |

366 | Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack - Rackoff, Simon - 1992 |

276 | New Directions in Cryptography - Di±e, Hellman - 1976 |

269 | Public-key cryptosystems provably secure against chosen ciphertext attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ...icient public key cryptosystem which is secure against adaptive chosen ciphertext attack. Security against such a powerful attack could only be obtained previously by extremely inefficient techniques =-=[25, 27, 13]-=- relying on constructions for non-interactive zero-knowledge (efficient heuristic constructions are described in [33]). In light of this, it is remarkable that the ddh assumption is able to dramatical... |

242 | Lower bounds for discrete logarithms and related problems, in EUROCRYPT - Shoup - 1997 |

162 | Number-theoretic Constructions of Efficient Pseudo-random Functions
- Naor, Reingold
- 1997
(Show Context)
Citation Context ...s whether dh g (x; y) = z for most triplets. In contrast, a ddh algorithm is only required to correctly decide with non-negligible advantage. Stadler [31, Prop. 1] and independently Naor and Reingold =-=[24]-=- showed that the two assumption, ddh and perfect--ddh, are equivalent. This conversion of an imperfect oracle into a perfect one is done via a random reduction. We slightly strengthen the result by ap... |

144 | An Efficient Offline Electronic Cash System Based on the Representation Problem,” CWI
- Brands
- 1993
(Show Context)
Citation Context ...ash functions that let one test that b = h(a), but given b alone, they reveal no information about a. Bellare and Micali [2] use ddh to construct a non-interactive oblivious transfer protocol. Brands =-=[5]-=- pointed out that several suggestions for undeniable signatures [8] implicitly rely on ddh. Steiner, Tsudik and Waidner [32] show that ddh implies generalized--ddh. They consider a generalization of D... |

125 | A hierarchy of polynomial time lattice basis reduction algorithms - Schnorr - 1987 |

121 | Towards realizing random oracles: Hash functions that hide all partial information
- Canetti
- 1997
(Show Context)
Citation Context ...able system, this form of cheating is impossible. 11 4.4 Others The ddh assumption is used in many other papers as well. We very briefly mention four (see also the summary in [24]). Recently, Canetti =-=[6] described-=- a simple construction based on ddh for a primitive called "Oracle Hashing". These are hash functions that let one test that b = h(a), but given b alone, they reveal no information about a. ... |

113 |
Non-Interactive Oblivious Transfer and Applications
- Bellare, Micali
(Show Context)
Citation Context ... construction based on ddh for a primitive called "Oracle Hashing". These are hash functions that let one test that b = h(a), but given b alone, they reveal no information about a. Bellare a=-=nd Micali [2]-=- use ddh to construct a non-interactive oblivious transfer protocol. Brands [5] pointed out that several suggestions for undeniable signatures [8] implicitly rely on ddh. Steiner, Tsudik and Waidner [... |

99 |
Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes
- Boneh, Venkatesan
- 1996
(Show Context)
Citation Context ...iffie-Hellman bits. Unfortunately, even proving that computing one bit of g ab given g a and g b is as hard as cdh is open. Currently, the only result along these lines is due to Boneh and Venkatesan =-=[4]-=-. At the moment these results only apply to the group Z p and its subgroups. We define the k most significant bits of an elements x 2 Z p as the k most significant bits of x when viewed as an integer ... |

98 | Factoring Polynomials with Rational Coecients - Lenstra, Lenstra, et al. - 1982 |

82 |
R.J.: Algorithms for black-box fields and their application to cryptography (extended abstract
- Boneh, Lipton
- 1996
(Show Context)
Citation Context ...e the function dh g (x; y) in G. Precise definitions are given in the next section. Recent results provide some limited reductions from computing discrete log to computing the Diffie-Hellman function =-=[20, 3, 21]-=-. Unfortunately, cdh by itself is not sufficient to prove that the Diffie-Hellman protocol is useful for practical cryptographic purposes. Even though Eve may be unable to recover the entire secret, s... |

81 |
Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known
- Coppersmith
- 1996
(Show Context)
Citation Context ...esult where the LLL algorithm is used to prove the security of a cryptographic primitive. Usually, LLL is used to attack cryptosystems (for example, consider Coppersmith's low exponent attacks on RSA =-=[10]-=-). 3.4 Statistical results Although we cannot give bounds on the computational complexity of ddh some results are known on the statistical distribution of proper Diffie-Hellman triples in the group Z ... |

69 |
Complexity of a determinate algorithm for the discrete logarithm
- Nechaev
(Show Context)
Citation Context ... that assuming one cannot decide the Diffie-Hellman problem with overwhelming probability then one cannot decide it in any non-negligible fraction of the input space. 5 3.2 Generic algorithms Nechaev =-=[26]-=- and Shoup [30] describe models enabling one to argue about lower bounds on computations of discrete log as well as ddh. We use Shoup's terminology. To disprove ddh one may first try to come up with a... |

56 |
On the cryptographic applications of random functions
- Goldreich, Goldwasser, et al.
- 1985
(Show Context)
Citation Context ...ddh. They show how to construct a collection of efficient pseudo random functions. Such functions can be used as the basis of many cryptographic schemes including symmetric encryption, authentication =-=[14]-=- and digital signatures [1]. Prior to these results, existing constructions [15, 23] based on number theoretic primitives were by far less efficient. Pseudo random functions were first introduced by G... |

50 |
New paradigms for digital signatures and message authentication based on noninterative zero knowledge proofs
- Bellare, Goldwasser
- 1990
(Show Context)
Citation Context ...t s be a random bit. Set w 0 = ab and w 1 = c. Then fi fi fi fi Pr[A(oe; 1; a; b; w s ; w 1\Gammas ) = s] \Gamma 1 2 fi fi fi fi ! m 2 =p where the probability is over the random choice of a; b; c in =-=[1; p]-=-, the random encoding oe and the random bits used by the algorithm. Proof Sketch We bound the amount of information available to the algorithm after m queries. Each time the algorithm interacts with t... |

44 | Synthesizers and Their Application to the Parallel Construction of Psuedo-Random Functions
- Naor, Reingold
- 1995
(Show Context)
Citation Context ...s. Such functions can be used as the basis of many cryptographic schemes including symmetric encryption, authentication [14] and digital signatures [1]. Prior to these results, existing constructions =-=[15, 23]-=- based on number theoretic primitives were by far less efficient. Pseudo random functions were first introduced by Goldreich, Goldwasser and Micali [15]. At a high level, a set F n of functions A n 7!... |

43 | Number-Theoretic Constructions of Ecient Pseudo-Random Functions - Naor, Reingold - 1997 |

42 | Diffie-Hellman oracles
- Maurer, Wolf
- 1996
(Show Context)
Citation Context ...e the function dh g (x; y) in G. Precise definitions are given in the next section. Recent results provide some limited reductions from computing discrete log to computing the Diffie-Hellman function =-=[20, 3, 21]-=-. Unfortunately, cdh by itself is not sufficient to prove that the Diffie-Hellman protocol is useful for practical cryptographic purposes. Even though Eve may be unable to recover the entire secret, s... |

33 | Die-hellman key distribution extended to group communication - Steiner, Tsudik, et al. - 1996 |

30 | Fast probabilistic algorithms for veri of polynomial identities - Schwartz - 1980 |

28 | On certain exponential sums and the distribution of Die-Hellman triples", Manuscript
- Canetti, Friedlander, et al.
(Show Context)
Citation Context ...bounds on the computational complexity of ddh some results are known on the statistical distribution of proper Diffie-Hellman triples in the group Z p . Recently, Canetti, Friedlander and Shparlinski =-=[7]-=- showed that the triples (g a ; g b ; g ab ) are uniformly distributed modulo p in the sense of Weyl. Let p be a prime and g a generator of Z p . Let B be a box of size jBj = h 1 h 2 h 3 . That is, B ... |

25 | Practical approaches to attaining security against adaptively chosen ciphertext attacks", Crypto '92 - Zheng, Seberry |

23 | An ecient o-line electronic cash system based on the representation problem", CWI - Brands - 1993 |

22 |
A Course in Computational Number Theory
- Cohen
- 1993
(Show Context)
Citation Context ...orithm that works in all groups. Indeed, such an algorithm would be devastating. However, the best known generic algorithm for ddh is a generic discrete log algorithm, namely the Baby-Step-Giant-Step =-=[9]-=-. When applied in a group of prime order p this algorithm runs in time O ffl ( p p). Shoup shows that this is the best possible generic algorithm for ddh. We discuss the implications of this result at... |

18 | Publicly veri secret sharing - Stadler |

16 | Lower bounds on generic algorithms in groups
- Maurer, Wolf
- 1998
(Show Context)
Citation Context ...in all groups. It is important to keep this in mind when searching for efficient ddh algorithms. The algorithm must make use of the particular group encoding. Using a similar argument Maurer and Wolf =-=[22]-=- show that no efficient generic algorithm can reduce cdh to ddh. That is, suppose that in addition to the group action oracle, the algorithm also has access to an oracle for deciding ddh (i.e. given h... |

15 | Di±e-Hellman oracles - Maurer, Wolf - 1996 |

10 | Algorithms for black-box and their application to cryptography - Boneh, Lipton - 1996 |

9 | Hardness of computing the most signi bits of secret keys in Diffie-Hellman and related schemes - Boneh, Venkatesan - 1996 |

5 |
Towards proving the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms
- Maurer
- 1994
(Show Context)
Citation Context ...e the function dh g (x; y) in G. Precise definitions are given in the next section. Recent results provide some limited reductions from computing discrete log to computing the Diffie-Hellman function =-=[20, 3, 21]-=-. Unfortunately, cdh by itself is not sufficient to prove that the Diffie-Hellman protocol is useful for practical cryptographic purposes. Even though Eve may be unable to recover the entire secret, s... |

2 | Towards proving the equivalence of breaking the Die-Hellman protocol and computing discrete logarithms - Maurer |

1 |
core bits based on any one way function
- Goldreich, Levin, et al.
(Show Context)
Citation Context ... shared secret --- based on cdh we cannot prove that Eve cannot predict some of these bits. Nevertheless, based on cdh alone Alice and Bob can derive one unpredictable bit (known as a hard 1 core bit =-=[16]-=-) from g ab . If, given g a ; g b , Eve could predict the hard core bit of g ab , she could also compute all of g ab . Hence, based on cdh alone, to exchange a k bit secret, Alice and Bob would have t... |