# An Algebraic Framework for Diffie–Hellman Assumptions

- 825 Downloads
- 6 Citations

## Abstract

We put forward a new algebraic framework to generalize and analyze Diffie–Hellman like decisional assumptions which allows us to argue about security and applications by considering only algebraic properties. Our \(\mathcal {D}_{\ell ,k}\text{- }\textsf {MDDH}\) Assumption states that it is hard to decide whether a vector in \(\mathbb {G}^\ell \) is linearly dependent of the columns of some matrix in \(\mathbb {G}^{\ell \times k}\) sampled according to distribution \(\mathcal {D}_{\ell ,k}\). It covers known assumptions such as \(\textsf {DDH},\, 2\text{- }\textsf {Lin}\) (Linear Assumption) and \(k\text{- }\textsf {Lin}\) (the *k*-Linear Assumption). Using our algebraic viewpoint, we can relate the generic hardness of our assumptions in *m*-linear groups to the irreducibility of certain polynomials which describe the output of \(\mathcal {D}_{\ell ,k}\). We use the hardness results to find new distributions for which the \(\mathcal {D}_{\ell ,k}\text{- }\textsf {MDDH}\) Assumption holds generically in *m*-linear groups. In particular, our new assumptions \(2\text{- }\textsf {SCasc}\) and \(2\text{- }\textsf {ILin}\) are generically hard in bilinear groups and, compared to \(2\text{- }\textsf {Lin}\), have shorter description size, which is a relevant parameter for efficiency in many applications. These results support using our new assumptions as natural replacements for the \(2\text{- }\textsf {Lin}\) assumption which was already used in a large number of applications. To illustrate the conceptual advantages of our algebraic framework, we construct several fundamental primitives based on any \(\textsf {MDDH}\) Assumption. In particular, we can give many instantiations of a primitive in a compact way, including public-key encryption, hash proof systems, pseudo-random functions, and Groth–Sahai NIZK and NIWI proofs. As an independent contribution, we give more efficient NIZK and NIWI proofs for membership in a subgroup of \(\mathbb {G}^\ell \). The results imply very significant efficiency improvements for a large number of schemes.

## Keywords

Diffie–Hellman assumption Generic hardness Groth–Sahai proofs Hash proof systems Public-key encryption## Notes

### Acknowledgments

We thank Duong Hieu Phan for pointing out a small mistake in a previous draft.

## References

- 1.O. Blazy, D. Pointcheval, and D. Vergnaud, Round-optimal privacy-preserving protocols with smooth projective hash functions. In R. Cramer, editor,
*TCC 2012*, vol. 7194 of*LNCS*, pp. 94–111, Taormina, Sicily, Italy, March 19–21, 2012. Springer, Berlin, GermanyGoogle Scholar - 2.D. Boneh, X. Boyen, and E.-J. Goh, Hierarchical identity based encryption with constant size ciphertext. In R. Cramer, editor,
*EUROCRYPT 2005*, vol. 3494 of*LNCS*, pp. 440–456, Aarhus, Denmark, May 22–26, 2005. Springer, Berlin, GermanyGoogle Scholar - 3.D. Boneh, X. Boyen, and H. Shacham, Short group signatures. In M. Franklin, editor,
*CRYPTO 2004*, vol. 3152 of*LNCS*, pp. 41–55, Santa Barbara, CA, USA, Aug. 15–19, 2004. Springer, Berlin, GermanyGoogle Scholar - 4.D. Boneh and M. K. Franklin, Identity-based encryption from the Weil pairing. In J. Kilian, editor,
*CRYPTO 2001*, vol. 2139 of*LNCS*, pp. 213–229, Santa Barbara, CA, USA, Aug. 19–23, 2001. Springer, Berlin, GermanyGoogle Scholar - 5.D. Boneh, S. Halevi, M. Hamburg, and R. Ostrovsky, Circular-secure encryption from decision Diffie–Hellman. In D. Wagner, editor,
*CRYPTO 2008*, vol. 5157 of*LNCS*, pp. 108–125, Santa Barbara, CA, USA, Aug. 17–21, 2008. Springer, Berlin, GermanyGoogle Scholar - 6.D. Boneh, H. W. Montgomery, and A. Raghunathan, Algebraic pseudorandom functions with improved efficiency from the augmented cascade. In E. Al-Shaer, A. D. Keromytis, and V. Shmatikov, editors,
*ACM CCS 10*, pp. 131–140, Chicago, Illinois, USA, Oct. 4–8, 2010. ACM PressGoogle Scholar - 7.D. Boneh, A. Sahai, and B. Waters, Fully collusion resistant traitor tracing with short ciphertexts and private keys. In S. Vaudenay, editor,
*EUROCRYPT 2006*, vol. 4004 of*LNCS*, pp. 573–592, St. Petersburg, Russia, May 28–June 1, 2006. Springer, Berlin, GermanyGoogle Scholar - 8.D. Boneh and A. Silverberg, Applications of multilinear forms to cryptography.
*Contemporary Mathematics*, 324:71–90, 2003Google Scholar - 9.X. Boyen, The uber-assumption family (invited talk). In S. D. Galbraith and K. G. Paterson, editors,
*PAIRING 2008*, vol. 5209 of*LNCS*, pp. 39–56, Egham, UK, Sept. 1–3, 2008. Springer, Berlin, GermanyGoogle Scholar - 10.J. Camenisch, N. Chandran, and V. Shoup, A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In A. Joux, editor,
*EUROCRYPT 2009*, vol. 5479 of*LNCS*, pp. 351–368, Cologne, Germany, April 26–30, 2009. Springer, Berlin, GermanyGoogle Scholar - 11.D. Cox, J. Little, and D. O’Shea,
*Ideal, Varieties and Algorithms*. Springer, second edition, 1996Google Scholar - 12.R. Cramer and V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In H. Krawczyk, editor,
*CRYPTO’98*, vol. 1462 of*LNCS*, pp. 13–25, Santa Barbara, CA, USA, Aug. 23–27, 1998. Springer, Berlin, GermanyGoogle Scholar - 13.R. Cramer and V. Shoup, Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In L. R. Knudsen, editor,
*EUROCRYPT 2002*, vol. 2332 of*LNCS*, pp. 45–64, Amsterdam, The Netherlands, April 28–May 2, 2002. Springer, Berlin, GermanyGoogle Scholar - 14.R. Cramer and V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack.
*SIAM Journal on Computing*, 33(1):167–226, 2003Google Scholar - 15.Y. Dodis, K. Haralambiev, A. López-Alt, and D. Wichs, Cryptography against continuous memory attacks. In
*51st FOCS*, pp. 511–520, Las Vegas, Nevada, USA, Oct. 23–26, 2010. IEEE Computer Society PressGoogle Scholar - 16.A. Escala, G. Herold, E. Kiltz, C. Ràfols, and J. Villar, An algebraic framework for Diffie-Hellman assumptions. In R. Canetti and J. A. Garay, editors,
*CRYPTO 2013, Part II*, vol. 8043 of*LNCS*, pp. 129–147, Santa Barbara, CA, USA, Aug. 18–22, 2013. Springer, Berlin, GermanyGoogle Scholar - 17.M. Fischlin, B. Libert, and M. Manulis, Non-interactive and re-usable universally composable string commitments with adaptive security. In D. H. Lee and X. Wang, editors,
*ASIACRYPT 2011*, vol. 7073 of*LNCS*, pp. 468–485, Seoul, South Korea, Dec. 4–8, 2011. Springer, Berlin, GermanyGoogle Scholar - 18.D. M. Freeman, Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In H. Gilbert, editor,
*EUROCRYPT 2010*, vol. 6110 of*LNCS*, pp. 44–61, French Riviera, May 30–June 3, 2010. Springer, Berlin, GermanyGoogle Scholar - 19.D. Galindo, J. Herranz, and J. L. Villar, Identity-based encryption with master key-dependent message security and leakage-resilience. In S. Foresti, M. Yung, and F. Martinelli, editors,
*ESORICS 2012*, vol. 7459 of*LNCS*, pp. 627–642, Pisa, Italy, Sept. 10–12, 2012. Springer, Berlin, GermanyGoogle Scholar - 20.R. Gennaro and Y. Lindell, A framework for password-based authenticated key exchange. In E. Biham, editor,
*EUROCRYPT 2003*, vol. 2656 of*LNCS*, pp. 524–543, Warsaw, Poland, May 4–8, 2003. Springer, Berlin, Germany. http://eprint.iacr.org/2003/032.ps.gz - 21.J. Groth and A. Sahai, Efficient noninteractive proof systems for bilinear groups.
*SIAM J. Comput.*, 41(5):1193–1232, 2012Google Scholar - 22.D. Hofheinz and T. Jager, Tightly secure signatures and public-key encryption. In R. Safavi-Naini and R. Canetti, editors,
*CRYPTO 2012*, vol. 7417 of*LNCS*, pp. 590–607, Santa Barbara, CA, USA, Aug. 19–23, 2012. Springer, Berlin, GermanyGoogle Scholar - 23.D. Hofheinz and E. Kiltz, Secure hybrid encryption from weakened key encapsulation. In A. Menezes, editor,
*CRYPTO 2007*, vol. 4622 of*LNCS*, pp. 553–571, Santa Barbara, CA, USA, Aug. 19–23, 2007. Springer, Berlin, GermanyGoogle Scholar - 24.A. Joux, A one round protocol for tripartite Diffie–Hellman.
*Journal of Cryptology*, 17(4):263–276, Sept. 2004Google Scholar - 25.C. S. Jutla and A. Roy, Shorter quasi-adaptive NIZK proofs for linear subspaces. In K. Sako and P. Sarkar, editors,
*ASIACRYPT 2013, Part I*, vol. 8269 of*LNCS*, pp. 1–20, Bangalore, India, Dec. 1–5, 2013. Springer, Berlin, GermanyGoogle Scholar - 26.C. S. Jutla and A. Roy, Switching lemma for bilinear tests and constant-size NIZK proofs for linear subspaces. In J. A. Garay and R. Gennaro, editors,
*CRYPTO 2014, Part II*, vol. 8617 of*LNCS*, pp. 295–312, Santa Barbara, CA, USA, Aug. 17–21, 2014. Springer, Berlin, GermanyGoogle Scholar - 27.J. Katz and V. Vaikuntanathan, Round-optimal password-based authenticated key exchange. In Y. Ishai, editor,
*TCC 2011*, vol. 6597 of*LNCS*, pp. 293–310, Providence, RI, USA, March 28–30, 2011. Springer, Berlin, GermanyGoogle Scholar - 28.E. Kiltz, A tool box of cryptographic functions related to the Diffie-Hellman function. In C. P. Rangan and C. Ding, editors,
*INDOCRYPT 2001*, vol. 2247 of*LNCS*, pp. 339–350, Chennai, India, Dec. 16–20, 2001. Springer, Berlin, GermanyGoogle Scholar - 29.E. Kiltz, Chosen-ciphertext security from tag-based encryption. In S. Halevi and T. Rabin, editors,
*TCC 2006*, vol. 3876 of*LNCS*, pp. 581–600, New York, NY, USA, March 4–7, 2006. Springer, Berlin, GermanyGoogle Scholar - 30.E. Kiltz, K. Pietrzak, M. Stam, and M. Yung, A new randomness extraction paradigm for hybrid encryption. In A. Joux, editor,
*EUROCRYPT 2009*, vol. 5479 of*LNCS*, pp. 590–609, Cologne, Germany, April 26–30, 2009. Springer, Berlin, GermanyGoogle Scholar - 31.E. Kiltz and H. Wee, Quasi-adaptive NIZK for linear subspaces revisited. In E. Oswald and M. Fischlin, editors,
*EUROCRYPT 2015, Part II*, vol. 9057 of*LNCS*, pp. 101–128, Sofia, Bulgaria, April 26–30, 2015. Springer, Berlin, GermanyGoogle Scholar - 32.A. B. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption. In H. Gilbert, editor,
*EUROCRYPT 2010*, vol. 6110 of*LNCS*, pp. 62–91, French Riviera, May 30–June 3, 2010. Springer, Berlin, GermanyGoogle Scholar - 33.A. B. Lewko and B. Waters, Efficient pseudorandom functions from the decisional linear assumption and weaker variants. In E. Al-Shaer, S. Jha, and A. D. Keromytis, editors,
*ACM CCS 09*, pp. 112–120, Chicago, Illinois, USA, Nov. 9–13, 2009. ACM PressGoogle Scholar - 34.B. Libert, T. Peters, M. Joye, and M. Yung, Non-malleability from malleability: Simulation-sound quasi-adaptive NIZK proofs and CCA2-secure encryption from homomorphic signatures. In P. Q. Nguyen and E. Oswald, editors,
*EUROCRYPT 2014*, vol. 8441 of*LNCS*, pp. 514–532, Copenhagen, Denmark, May 11–15, 2014. Springer, Berlin, GermanyGoogle Scholar - 35.B. Libert and M. Yung, Non-interactive CCA-secure threshold cryptosystems with adaptive security: New framework and constructions. In R. Cramer, editor,
*TCC 2012*, vol. 7194 of*LNCS*, pp. 75–93, Taormina, Sicily, Italy, March 19–21, 2012. Springer, Berlin, GermanyGoogle Scholar - 36.S. Meiklejohn, H. Shacham, and D. M. Freeman, Limitations on transformations from composite-order to prime-order groups: The case of round-optimal blind signatures. In M. Abe, editor,
*ASIACRYPT 2010*, vol. 6477 of*LNCS*, pp. 519–538, Singapore, Dec. 5–9, 2010. Springer, Berlin, GermanyGoogle Scholar - 37.M. Naor and O. Reingold, Number-theoretic constructions of efficient pseudo-random functions. In
*38th FOCS*, pp. 458–467, Miami Beach, Florida, Oct. 19–22, 1997. IEEE Computer Society PressGoogle Scholar - 38.M. Naor and G. Segev, Public-key cryptosystems resilient to key leakage. In S. Halevi, editor,
*CRYPTO 2009*, vol. 5677 of*LNCS*, pp. 18–35, Santa Barbara, CA, USA, Aug. 16–20, 2009. Springer, Berlin, GermanyGoogle Scholar - 39.M. Naor and M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks. In
*22nd ACM STOC*, pp. 427–437, Baltimore, Maryland, USA, May 14–16, 1990. ACM PressGoogle Scholar - 40.T. Okamoto and K. Takashima, Fully secure functional encryption with general relations from the decisional linear assumption. In T. Rabin, editor,
*CRYPTO 2010*, vol. 6223 of*LNCS*, pp. 191–208, Santa Barbara, CA, USA, Aug. 15–19, 2010. Springer, Berlin, GermanyGoogle Scholar - 41.T. Okamoto and K. Takashima, Achieving short ciphertexts or short secret-keys for adaptively secure general inner-product encryption. In D. Lin, G. Tsudik, and X. Wang, editors,
*CANS 11*, vol. 7092 of*LNCS*, pp. 138–159, Sanya, China, Dec. 10–12, 2011. Springer, Berlin, GermanyGoogle Scholar - 42.T. Okamoto and K. Takashima, Fully secure unbounded inner-product and attribute-based encryption. In X. Wang and K. Sako, editors,
*ASIACRYPT 2012*, vol. 7658 of*LNCS*, pp. 349–366, Beijing, China, Dec. 2–6, 2012. Springer, Berlin, GermanyGoogle Scholar - 43.J. H. Seo, On the (im)possibility of projecting property in prime-order setting. In X. Wang and K. Sako, editors,
*ASIACRYPT 2012*, vol. 7658 of*LNCS*, pp. 61–79, Beijing, China, Dec. 2–6, 2012. Springer, Berlin, GermanyGoogle Scholar - 44.J. H. Seo and J. H, Cheon, Beyond the limitation of prime-order bilinear groups, and round optimal blind signatures. In R. Cramer, editor,
*TCC 2012*, vol. 7194 of*LNCS*, pp. 133–150, Taormina, Sicily, Italy, March 19–21, 2012. Springer, Berlin, GermanyGoogle Scholar - 45.H. Shacham, A cramer-shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074, 2007. http://eprint.iacr.org/
- 46.J. L. Villar, Optimal reductions of some decisional problems to the rank problem. In X. Wang and K. Sako, editors,
*ASIACRYPT 2012*, vol. 7658 of*LNCS*, pp. 80–97, Beijing, China, Dec. 2–6, 2012. Springer, Berlin, GermanyGoogle Scholar - 47.S. Wolf,
*Information-Theoretically and Computionally Secure Key Agreement in Cryptography*. Ph.D. thesis, ETH Zuerich, 1999Google Scholar