Presentation is loading. Please wait.

Presentation is loading. Please wait.

多媒體網路安全實驗室 Variations of Diffie-Hellman Problem Proceedings of ICICS 2003, LNCS 2836, Springer-Verlag, 2003, pp. 301–312 Feng Bao, Robert H. Deng, Huafei.

Published byCecily Felicity Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "多媒體網路安全實驗室 Variations of Diffie-Hellman Problem Proceedings of ICICS 2003, LNCS 2836, Springer-Verlag, 2003, pp. 301–312 Feng Bao, Robert H. Deng, Huafei."— Presentation transcript:

1 多媒體網路安全實驗室 Variations of Diffie-Hellman Problem Proceedings of ICICS 2003, LNCS 2836, Springer-Verlag, 2003, pp. 301–312 Feng Bao, Robert H. Deng, Huafei Zhu Adviser: 鄭錦楸, 郭文中 教授 Reporter: 林彥宏

2 多媒體網路安全實驗室 Introduction 1 Variations of Computational Diffie-Hellman Problem 2 Variations of Decisional Diffie-Hellman problem 33 Conclusions 44 2

3 多媒體網路安全實驗室 Introduction  The Diffie-Hellman problem is a golden mine for cryptographic purposes.  matching Diffie-Hellman problem, decisional Diffie- Hellman problem, Gap- Diffie-Hellman problem  This paper studies various computational and decisional problems related to the Diffie-Hellman problems.  A  B: problem A reduces in polynomial time to another problem B 3

4 多媒體網路安全實驗室 Introduction  If A polynomially reduces to B and there is a polynomial time algorithm for B, then there is a polynomial time algorithm for A also.  Computational Diffie-Hellman problem(CDH): square, inverse and divisible  Decisional Diffie-Hellman problem(DDH): square, inverse and divisible  all variations of computational Diffie-Hellman problem are equivalent to the classic computational Diffie-Hellman problem  all variations of decisional Diffie-Hellman problem are equivalent except for the argument DDH  SDDH 4

5 多媒體網路安全實驗室  p be a large prime number  discrete logarithm problem defined in Z p * is hard  G ∈ Z p * be a cyclic group of prime order q  g is assumed to be a generator of G (is prime order)  security parameters p, q are defined as the fixed form p=2q+1 and ord(g)=q 5

6 多媒體網路安全實驗室  Computational Diffie-Hellman problem (CDH): On input g, g x, g y, computing g xy.  An algorithm that solves the computational Diffie- Hellman problem is a probabilistic polynomial time Turing machine, on input g, g x, g y, outputs g xy with non-negligible probability.  Computational Diffie-Hellman assumption means that there is no such a probabilistic polynomial time Turing machine. 6

7 多媒體網路安全實驗室  Square computational Diffie-Hellman problem (SCDH): On input g, g x, computing g (x 2 ).  SCDH assumption: no a probabilistic polynomial time Turing machine.  SCDH assumption and CDH assumption are equivalent.  SCDH  CDH  given an oracle A 1, on input g, g x, g y, outputs g xy  exist an algorithm A 2, on input g x, outputs g (x 2 )  u := g r, choose t 1, t 2 ∈ Z q at random, and compute u 1 = u t 1 = g rt 1, and u 2 = u t 2 = g rt 2.  we are able to compute v = A 1 (u 1 ; u 2 )= g r 2 t 1 t 2 with non- negligible probability. 7

8 多媒體網路安全實驗室  CDH  SCDH  given an oracle A 2, on input g, g x, outputs g (x 2 )  exist an algorithm A 1, on input g, g x, g y, outputs g xy  given g x, we choose s 1, s 2, t 1, t 2 ∈ Z q at random  compute v 1 := A 2 (g xs 1 ) =g (xs 1 2 ), v 2 := A 2 ((g y ) s 2 )=g (ys 2 2 )  we compute v 3 := A 2 ( g xs 1 t 1 +ys 2 t 2 ) = g ((xs 1 t 1 +ys 2 t 2 ) 2 )  s 1, s 2, t 1, t 2 are known already, it follows that g xy can be computed from v 1, v 2, v 3, s 1, s 2, t 1, t 2 immediately with same advantage.  CDH  SCDH 8

9 多媒體網路安全實驗室  Inverse computational Diffie-Hellman problem (InvCDH): On input g, g x, outputs g (x -1 ).  InvCDH assumption: no a probabilistic polynomial time Turing machine.  InvCDH assumption and SCDH assumption are equivalent.  InvCDH  SCDH  given an oracle A 2, on input g, g x, outputs g (x 2 )  exist an algorithm A 3, on input g x, outputs g (x -1 )  given a random value g r, we set h 1 ←g r and h 2 ←g  input (h 1, h 2 ) to the oracle A 2 to obtain A 2 (h 1, h 2 )=(g r -1 ) r 2, g r -1 A 2 (g r, (g r -1 ) r )=(g r -1 ) r 2 9

10 多媒體網路安全實驗室  SCDH  InvCDH  given an oracle A 3, on input g, g x, outputs g (x -1 )  exist an algorithm A 2, on input g, g x, outputs g (x 2 )  given a random value g, g r, we set h 1 ←g r and h 2 ←g  input (h 1, h 2 ) to the oracle A 3 to obtain A 3 (h 1, h 2 )= A 3 (g r, (g r ) r -1 )= (g r ) (r -1 ) -1 =g r 2  It follows that g r 2 can be computed from A 3 with the same advantage. 10

11 多媒體網路安全實驗室  Divisible computation Diffie-Hellman problem (DCDH problem): On random input g, g x, g y, computing g y/ x. We refer this oracle to as divisional computation Diffie- Hellman problem.  DCDH assumption: no a probabilistic polynomial time Turing machine.  DCDH assumption and CDH assumption are equivalent 11

12 多媒體網路安全實驗室  CDH  DCDH  given an oracle A 4, on input g, g x, g y outputs g y/ x  exist an algorithm A 1, on input g x, g y outputs g xy  given g, g x, g y, choose s 1, s 2, t 1, t 2 ∈ Z q at random  compute v 1 := A 4 (g, (g x ) s 1, g s 2 ) = g xs 1 /s 2, v 2 := A 4 (g, g t 1, (g y ) t 2 ) = g (yt 2 )/t 1  Finally, we compute v := A 3 (v 1, v 2 ) = g (xys 1 t 2 )/(s 2 t 1 )  Since s 1, s 2, t 1, t 2 are known already, it follows that g xy can be computed from v, s 1, s 2, t 1, t 2 immediately with same advantage. 12

13 多媒體網路安全實驗室  DCDH  CDH  given an oracle A 1, on input g, g x, g y outputs g xy  exist an algorithm A 4, on input g, g x, g y outputs g y/x  given g, g x, g y  construct an InvCDH oracle A 3, input (g, g y ) to A 3 to We prove the fact t obtain v:=g (y -1 )  Input (g, g x, v) to A 1 to obtain g x/y  We prove the fact that if the underlying group with prime order q, all variations of computational Diffie- Hellman problem are equivalent: CDH  SCDH  InvCDH  DCDH 13

14 多媒體網路安全實驗室  Decisional Diffie-Hellman assumption(DDH): Let G be a large cyclic group of prime order q. We consider the following two distributions:  given a Diffie-Hellman quadruple g, g x, g y and g xy, where x, y ∈ Z q, are random strings chosen uniformly at random  given a random quadruple g, g x, g y and g r, where x, y, r ∈ Z q, are random strings chosen uniformly at random.  An algorithm that solves the Decisional Diffie-Hellman problem is a statistical test that can efficiently distinguish these two distributions  DDH assumption: no such a polynomial statistical test 14

15 多媒體網路安全實驗室  Square decisional Diffie-Hellman assumption(SDDH):  Given a square Diffie-Hellman triple g, g x and g x 2, where x ∈ Z q, is a random string chosen uniformly at random;  Given a random triple g, g x and g r, where x, r ∈ Z q, are two random strings chosen uniformly at random.  SDDH assumption: no such a polynomial statistical test.  Inverse decisional Diffie-Hellman assumption(InvDDH):  Given a inverse Diffie-Hellman triple g, g x and g x -1, where x ∈ Z q, is a random string chosen uniformly at random;  Given a random triple g, g x and g r, where x, r ∈ Z q, are two random strings chosen uniformly at random.  InvDDH assumption: no such a polynomial statistical test. 15

16 多媒體網路安全實驗室  Divisible decisional Diffie-Hellman assumption(DDDH):  Given a divisible Diffie-Hellman quadruple g, g x, g y and g x/y, where x, y ∈ Z q, are random strings chosen uniformly at random;  Given a random quadruple g, g x, g y and g r, where x, r, y ∈ Z q, are random strings chosen uniformly at random.  DDDH assumption: no such a polynomial statistical test.  Relations among variations of decisional Diffie-Hellman assumption 16

17 多媒體網路安全實驗室  InvDDH  SDDH  Given a distinguisher D 1 which is able to tell SDDH triple from a random triple with non-negligible probability  exists a polynomial distinguisher D 2 which is able to tell InvDDH triple from a random triple with non-negligible advantage.  given g, g x and g r, where r is either x -1 or a random string  setting h 1 ←(g r ) s, h 2 ←g s, h 3 ←(g x ) s 2, where s ∈ Z q  if r=x -1, then h 1 =(g x -1 ) s, and h 2 =(g x -1 ) sx, and h 3 =(g x -1 ) s 2 x 2  if r is a random triple, then (h 1, h 2, h 3 ) is also a random triple  Input (h 1, h 2, h 3 ) to oracle D 1 to obtain correct value b ∈ {0,1} b=0, if the answer of D 1 is SDDH triple, and 1 otherwise 17

18 多媒體網路安全實驗室  SDDH  InvDDH  Given a distinguisher D 2 which is able to tell InvDDH triple from a random triple with non-negligible advantage.  exists a distinguisher D 1 which is able to tell SDDH triple from a random triple with non-negligible probability  given g, g x, g r where either r=x 2 or r ∈ Z q a random string  setting h 1 ←g x, h 2 ←(g r ) s and h 3 ←g s -1  if r=x 2, then h 1 =g x, h 2 =(g x ) xs and h 3 =(g x ) (xs) -1  if r is a random triple, then (h 1, h 2, h 3 ) is also a random triple  Input (h 1, h 2, h 3 ) to oracle D 2 to obtain correct value b ∈ {0,1} b=0, if the answer of D 2 is InvDDH triple, and 1 otherwise 18

19 多媒體網路安全實驗室  DDDH  DDH  Given (g, g x, g y, g x/y ), one simply submits (g, g y, g x/y, g x ) to DDH to decide the divisible format of the quadruple  DDH  DDDH  Given (g, g x, g y, g xy ), one queries DDDH with (g, g xy, g y, g x ) and return DDDH’s answer  Therefore, we know the fact that DDDH  DDH. 19

20 多媒體網路安全實驗室  SDDH  DDH  Given a distinguisher D, which is able to tell the standard decisional Diffie-Hellman triple from the random triple  there exists a distinguisher D 1 that is able to tell the square decisional Diffie-Hellman triple from a random triple  given a triple (g, g x, g z ), where g z is either of the form g y or g x 2  choose two strings s, t at random, compute u←(g x ) s, v←(g x ) t, w←(g z ) st  if (g, g x, g z ) is square DH triple, then (g, u, v, w) is a DH quadruple  input (g, u, v, w) to the distinguisher D to obtain correct value b ∈ {0,1} 20

21 多媒體網路安全實驗室  DDH  SDDH  Unfortunately, we are not able to show that DDH  SDDH. This leaves an interesting research problem.  Conjecture: Under the assumption of group structure of G, DDH is equivalent to SDDH. 21

22 多媒體網路安全實驗室  Polynomial samples setting  generalized Decisional Diffie-Hellman assumption: for any k, the following distributions are indistinguishable: - The distribution R 2k of any random tuple (g 1,…, g k, u 1,…, u k ) ∈ G 2k, where g 1,…, g k, and u 1,…, u k are uniformly distributed in G 2k - The distribution D 2k of tuples (g 1,…, g k, u 1,…, u k ) ∈ G 2k, where g 1,…, g k are uniformly distributed in G k, and u 1 =g 1 r,…, u k =g k r for random r ∈ Z q chosen at random 22

23 多媒體網路安全實驗室  An algorithm that solves the generalized decisional Diffie-Hellman problem is a statistical test that can efficiently distinguish these two distributions.  Generalized decisional Diffie-Hellman assumption: no polynomial statistical test  DDH  SDDH  InvDDH  DDDH 23

24 多媒體網路安全實驗室  Generalized square decisional Diffie-Hellman assumption (GSDDH):  The distribution R 3k of any random tuple (g 1,…,g k, g 1 x 1,…, g k x k, u 1,…,u k ) ∈ G 3k, where g 1,…, g k, x 1,…, x k and u 1,…,u k are uniformly distributed in G 3k  The distribution D 3k of tuples (g 1,…,g k, g 1 x 1,…, g k x k, u 1,…,u k ) ∈ G 3k, where g 1,…, g k, g 1 x 1,…,g k x k are uniformly distributed in G k while u 1 =g 1 x 1 2,…,u k =g k x k 2 for each x i uniformly distributed in Z q  GSDDH assumption: no polynomial statistical test 24

25 多媒體網路安全實驗室  Generalized inverse decisional Diffie-Hellman assumption (GInvDDH):  The distribution R 3k of any random tuple (g 1,…,g k, g 1 x 1,…, g k x k, u 1,…,u k ) ∈ G 3k, where g 1,…, g k, x 1,…, x k and u 1,…,u k are uniformly distributed in G 3k  The distribution D 3k of tuples (g 1,…,g k, g 1 x1,…, g k xk, u 1,…,u k ) ∈ G 3k, where g 1,…, g k, g 1 x 1,…,g k x k are uniformly distributed in G k while u 1 =g 1 x 1 -1,…,u k =g k x k -1 for each x i uniformly distributed in Z q  GInvDDH assumption: no polynomial statistical test 25

26 多媒體網路安全實驗室  6-DDH  4-DDH  a machine M that can get a non-negligible advantage ε between D 4 and R 4  given any six-tuple (g 1, g 2, g 3, u 1, u 2, u 3 ), which comes from either R 6 or D 6  M’ runs M on the quadruple (g 1 g 2, g 3, u 1 u 2, u 3 ) and simply forwards the answer  If the input comes from D 4 (D 6 respectively), it outputs 1 and 0 if the input tuple comes from R 4 (R 6 respectively). 26

27 多媒體網路安全實驗室 27

28 多媒體網路安全實驗室  4-DDH  6-DDH  a machine M that can get a non-negligible advantage ε between D 6 and R 6  given quadruple (g 1, g 2, u 1, u 2 )  M’ runs M on the six-tuple (g 1, g 2, g 1 s g 2 t, u 1, u 2, u 1 s u 2 t ) for randomly chosen s and t in Z q, and forwards the answer 28

29 多媒體網路安全實驗室 29

30 多媒體網路安全實驗室 Conclusions  We have studied the relationship among variations of Diffie-Hellman problem including the computational and decisional cases with efficient reductions.  We show that all four variations of computational Diffie-Hellman problem are equivalent if the order of a underlying cyclic group is large prime.  We are able to show that all variations are equivalent except for the argument DDH  SDDH, and thus leave an interesting open problem. 30

31 多媒體網路安全實驗室

Download ppt "多媒體網路安全實驗室 Variations of Diffie-Hellman Problem Proceedings of ICICS 2003, LNCS 2836, Springer-Verlag, 2003, pp. 301–312 Feng Bao, Robert H. Deng, Huafei."

Similar presentations

Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
The Equivalence of Sampling and Searching Scott Aaronson MIT.

The Equivalence of Sampling and Searching Scott Aaronson MIT.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
7. Asymmetric encryption-

7. Asymmetric encryption-
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

Similar presentations

Ads by Google