Discrete Logarithm Problems in Cyclic Groups: DL, CDH, and DDH, Study notes of Computer Science

Three discrete logarithm related problems in the context of cyclic groups: the discrete logarithm (dl) problem, computational diffie-hellman (cdh) problem, and decisional diffie-hellman (ddh) problem. Informal descriptions and formal definitions of these problems, as well as their relations and the hardness of each problem.

Typology: Study notes

Pre 2010

Uploaded on 08/05/2009

koofers-user-6x2
koofers-user-6x2 🇺🇸

10 documents

1 / 3

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 4803
Computer and Network Security
Alexandra (Sasha) Boldyreva
Hard problems for public-key crypto.
Discrete log.
1
As no encryption scheme besides the
OneTimePad is unconditionally secure, we need
to find some building blocks - hard problems
(assumptions about hardness of some
problems) to base security of our new
encryption schemes on.
Block ciphers and their PRF security is not an
option since now we don’t have shared keys in
the public-key (asymmetric-key) setting.
Let’s consider the discrete log related problems
and the RSA problem.
2
Discrete-log related problems
Let G be a cyclic group and let m = |G|. The discrete
logarithm function DLogG,g(a): G ! Zm takes a 󲰉 G and returns
i 󲰉 Zm such that gi = a.
There are several computational problems related to this
function:
Discrete-logarithm (DL) problem
Computational Diffie-Hellman (CDH) problem
Decisional Diffie-Hellman (DDH) problem
2NUMBER-THEORETIC PRIMITIVES
Problem Given Figure out
Discrete logarithm (DL) gxx
Computational Diffie-Hellman (CDH) gx, gygxy
Decisional Diffie-Hellman (DDH) gx, gy, gzIs zxy (mod |G|)?
Figure 10.1: An informal description of three discrete logarithm related problems over a cyclic
group Gwith generator g. For each problem we indicate the input to the attacker, and what the
attacker must figure out to win.” The formal definitions are in the text.
One might imagine encrypting a message xZmby letting gxbe the ciphertext. An
adversary wanting to recover xis then faced with solving the discrete logarithm problem to do so.
However, as a form of encryption, this has the disadvantage of being non-functional, because an
intended recipient, namely the person to whom the sender is trying to communicate x, is faced
with the same task as the adversary in attempting to recover x.
The Diffie-Hellman (DH) problems first appeared in the context of secret key exchange. Suppose
two parties want to agree on a key which should remain unknown to an eavesdropping adversary.
The first party picks x$
Zmand sends X=gxto the second party; the second party correspond-
ingly picks y$
Zmand sends Y=gyto the first party. The quantity gxy is called the DH-key
corresponding to X, Y . We note that
Yx=gxy =Xy.(10.1)
Thus the first party, knowing Y, x, can compute the DH key, as can the second party, knowing X,y .
The adversary sees X, Y , so to recover the DH-key the adversary must solve the Computational
Diffie-Hellman (CDH) problem, namely compute gxy given X=gxand Y=gy. Similarly, we will
see later a simple asymmetric encryption scheme, based on Equation (10.1), where recovery of the
encrypted message corresponds to solving the CDH problem.
The obvious route to solving the CDH problem is to try to compute the discrete logarithm of
either Xor Yand then use Equation (10.1) to obtain the DH key. However, there might be other
routes that do not involve computing discrete logarithms, which is why CDH is singled out as a
computational problem in its own right. This problem appears to be computationally intractable
in a variety of groups.
We have seen before that security of a cryptographic scheme typically demands much more than
merely the computational intractability of recovery of some underlying key. The computational
intractability of the CDH problem turns out to be insufficient to guarantee the security of many
schemes based on DH keys, including the secret key exchange protocol and encryption scheme
mentioned above. The Decisional Diffie-Hellman (DDH) problem provides the adversary with a
task that can be no harder, but possibly easier, than solving the CDH problem, namely to tell
whether or not a given group element Zis the DH key corresponding to given group elements X, Y .
This problem too appears to be computationally intractable in appropriate groups.
We now proceed to define the problems more formally. Having done that we will provide more
specific discussions about their hardness in various different groups and their relations to each
other.
3
DL problem
Def. Let G be a cyclic group and let m = |G|. Let g be a
generator. Consider the following experiment associated with
an adversary A.
The dl-advantage of A is defined as the probability of the
above experiment outputting 1.
The discrete logarithm problem is said to be hard in G if the
dl-advantage of any adversary with reasonable resources is
small.
Bellare and Rogaway 3
10.1.2 The discrete logarithm problem
The description of the discrete logarithm problem given above was that the adversary is given as
input some group element X, and is considered successful if it can output DLogG,g(X). We would
like to associate to a specific adversary Asome advantage function measuring how well it does in
solving this problem. The measure adopted is to look at the fraction of group elements for which
the adversary is able to compute the discrete logarithm. In other words, we imagine the group
element Xgiven to the adversary as being drawn at random.
Definition 10.1 Let Gb e a cyclic group of order m, let gbe a generator of G, and let Abe an
algorithm that returns an integer in Zm. We consider the following experiment:
Experiment Expdl
G,g(A)
x$
Zm;Xgx
xA(X)
If gx=Xthen return 1 else return 0
The dl-advantage of Ais defined as
Advdl
G,g(A) = Pr !Expdl
G,g(A) = 1".
Recall that the discrete exponentiation function takes input iZmand returns the group element
gi. The discrete logarithm function is the inverse of the discrete exponentiation function. The
definition above simply measures the one-wayness of the discrete exponentiation function according
to the standard definition of one-way function. It is to emphasize this that certain parts of the
experiment are written the way they are.
The discrete logarithm problem is said to hard in Gif the dl-advantage of any adversary of
reasonable resources is small. Resources here means the time-complexity of the adversary, which
includes its code size as usual.
10.1.3 The Computational Diffie-Hellman problem
As above, the transition from the informal description to the formal definition involves considering
the group elements X, Y to be drawn at random.
Definition 10.2 Let Gb e a cyclic group of order m, let gbe a generator of G, and let Abe an
algorithm that returns an element of G. We consider the following experiment:
Experiment Expcdh
G,g(A)
x$
Zm;y$
Zm
Xgx;Ygy
ZA(X, Y )
If Z=gxy then return 1 else return 0
The cdh-advantage of Ais defined as
Advcdh
G,g(A) = Pr !Expcdh
G,g(A) = 1".
Again, the CDH problem is said to be hard in Gif the cdh-advantage of any adversary of reasonable
resources is small, where the resource in question is the adversary’s time complexity.
4
pf3

Partial preview of the text

Download Discrete Logarithm Problems in Cyclic Groups: DL, CDH, and DDH and more Study notes Computer Science in PDF only on Docsity!

CS 4803

Computer and Network Security

Alexandra (Sasha) Boldyreva

Hard problems for public-key crypto.

Discrete log.

1

• As no encryption scheme besides the

OneTimePad is unconditionally secure, we need

to find some building blocks - hard problems

(assumptions about hardness of some

problems) to base security of our new

encryption schemes on.

• Block ciphers and their PRF security is not an

option since now we don’t have shared keys in

the public-key (asymmetric-key) setting.

• Let’s consider the discrete log related problems

and the RSA problem.

2

Discrete-log related problems

• Let^ G^ be a cyclic group and let m = | G |. The discrete

logarithm function DLog

G ,g

(a): G! Z m

takes a G and returns

i Z m

such that g

i = a.

• There are several computational problems related to this

function:

• Discrete-logarithm (DL) problem

• Computational Diffie-Hellman (CDH) problem

• Decisional Diffie-Hellman (DDH) problem

2 NUMBER-THEORETIC PRIMITIVES

Problem Given Figure out

Discrete logarithm (DL) g

x

x

Computational Diffie-Hellman (CDH) g

x

, g

y

g

xy

Decisional Diffie-Hellman (DDH) g

x

, g

y

, g

z

Is z ≡ xy (mod |G|)?

Figure 10 .1: An informal description of three discrete logarithm related problems over a cyclic

group G with generator g. For each problem we indicate the input to the attacker, and what the

attacker must figure out to “win.” The formal definitions are in the text.

3

DL problem

• Def. Let^ G^ be a cyclic group and let m = | G |. Let g be a

generator. Consider the following experiment associated with

an adversary A.

• The dl-advantage of A is defined as the probability of the

above experiment outputting 1.

• The discrete logarithm problem is said to be hard in^ G^ if the

dl-advantage of any adversary with reasonable resources is

small.

Bellare and Rogaway 3

10. 1. 2 The discrete logarithm problem

The description of the discrete logarithm problem given above was that the adversary is given as

input some group element X, and is considered successful if it can output DLog G,g

(X). We would

like to associate to a specific adversary A some advantage function measuring how well it does in

solving this problem. The measure adopted is to look at the fraction of group elements for which

the adversary is able to compute the discrete logarithm. In other words, we imagine the group

element X given to the adversary as being drawn at random.

Definition 10.1 Let G be a cyclic group of order m, let g be a generator of G, and let A be an

algorithm that returns an integer in Zm. We consider the following experiment:

Experiment Exp

dl

G,g

(A)

x

$ ← Zm ; X ← g

x

x ← A(X)

If g

x = X then return 1 else return 0

The dl-advantage of A is defined as

Adv

dl

G,g

(A) = Pr

[

Exp

dl

G,g

(A) = 1

]

Recall that the discrete exponentiation function takes input i ∈ Zm and returns the group element

g

i

. The discrete logarithm function is the inverse of the discrete exponentiation function. The

definition above simply measures the one-wayness of the discrete exponentiation function according

to the standard definition of one-way function. It is to emphasize this that certain parts of the

experiment are written the way they are.

The discrete logarithm problem is said to hard in G if the dl-advantage of any adversary of

reasonable resources is small. Resources here means the time-complexity of the adversary, which

includes its code size as usual.

10. 1. 3 The Computational Diffie-Hellman problem

As above, the transition from the informal description to the formal definition involves considering

the group elements X, Y to be drawn at random.

4

CDH

• Def. Let^ G^ be a cyclic group of order m.^ Let g be a generator.

Consider the following experiment associated with an adversary A. • • • • The cdh-advantage of A is defined as the probability of the above experiment outputting 1. • • The computational Diffie-Hellman (CDH) problem is said to be hard in G if the cdh-advantage of any adversary with reasonable resources is small. its code size as usual. The Computational Diffie-Hellman problem , the transition from the informal description to the formal definition involves considering p elements X, Y to be drawn at random. on 10.2 Let G be a cyclic group of order m, let g be a generator of G, and let A be an that returns an element of G. We consider the following experiment: Experiment Exp

cdh G,g

(A)

x

$

← Z

m

; y

$

← Z

m

X ← g

x

; Y ← g

y

Z ← A(X, Y )

If Z = g

xy

then return 1 else return 0

advantage of A is defined as Adv

cdh G,g

(A) = Pr

[

Exp

cdh G,g

(A) = 1

]

.

e CDH problem is said to be hard in G if the cdh-advantage of any adversary of reasonable is small, where the resource in question is the adversary’s time complexity.

5

DDH

• Def. Let^ G^ be a cyclic group of order m.^ Let g be a generator.

Consider the following experiments associated with an adversary A. • • • • • The ddh-advantage of A is defined as the difference between probabilities of outputting 0 in two experiments. • The decisional Diffie-Hellman (DDH) problem is said to be hard in G if the ddh-advantage of any adversary with reasonable resources is small.

The formalization considers a “two worlds” setting. The adversary gets input X, Y, Z. In either world, X, Y are random group elements, but the manner in which Z is chosen depends on the world. In World 1 , Z = g xy where x = DLog G,g (X) and y = DLog G,g (Y ). In World 0 , Z is chosen at random from the group, independently of X, Y. The adversary must decide in which world it is. (Notice that this is a little different from the informal description of Fig. 10 .1 which said that the adversary is trying to determine whether or not Z = g xy , because if by chance Z = g xy in World 0 , we will declare the adversary unsuccessful if it answers 1 .) Definition 10.3 Let G be a cyclic group of order m, let g be a generator of G, let A be an algorithm that returns a bit, and let b be a bit. We consider the following experiments: Experiment Exp ddh- 1 G,g

(A)

x $ ← Zm y $ ← Z m z ← xy mod m X ← g x ; Y ← g y ; Z ← g z d ← A(X, Y, Z) Return d Experiment Exp ddh- 0 G,g

(A)

x $ ← Z m y $ ← Zm z $ ← Zm X ← g x ; Y ← g y ; Z ← g z d ← A(X, Y, Z) Return d The ddh-advantage of A is defined as Adv ddh G,g (A)^ =^ Pr [ Exp ddh- 1 G,g (A)^ =^1 ] − Pr [ Exp ddh- 0 G,g (A)^ =^1 ]

Again, the DDH problem is said to be hard in G if the ddh-advantage of any adversary of reasonable resources is small, where the resource in question is the adversary’s time complexity.

    1. 5 Relations between the problems Relative to a fixed group G and generator g for G, if you can solve the DL problem then you can solve the CDH problem, and if you can solve the CDH problem then you can solve the DDH problem. So if DL is easy then CDH is easy, and if CDH is easy then DDH is easy. Equivalently, if DDH is hard then CDH is hard, and if CDH is hard then DL is hard. We note that the converses of these statements are not known to be true. There are groups where DDH is easy, while CDH and DL appear to be hard. (We will see examples of such groups later.) Correspondingly, there could be groups where CDH is easy but DL is hard. The following Proposition provides the formal statement and proof corresponding to the above claim that if you can solve the DL problem then you can solve the CDH problem, and if you can solve the CDH problem then you can solve the DDH problem. Proposition 10.4 Let G be a cyclic group and let g be a generator of G. Let Adl be an adversary (against the DL problem). Then there exists an adversary Acdh (against the CDH problem) such that Adv dl G,g (Adl) ≤ Adv cdh G,g (Acdh). ( 10 .2) Furthermore the running time of A cdh is the that of A dl plus the time to do one exponentiation in G. Similarly let Acdh be an adversary (against the CDH problem). Then there exists an adversary 6

Relations between problems

• Fix a group and a generator

• Hardness of the problems depends on the choice of a group. Can solve DL Can solve CDH Can solve DDH DDH is hard CDH is hard DL is hard

7

• For most groups there is an algorithm that solves the DL

problem in O(|G|

1/

)

• Let’s consider G = Z p for a prime p. • Claim. [DDH is easy]. Let p! 3 be a prime, let G = Z p , and let g be a generator of G. Then there is an adversary A, with running time O(|p| 3 ) and ddh-advantage 1/2. ! !

8