Abstract
We propose a new computational problem called the twin Diffie–Hellman problem. This problem is closely related to the usual (computational) Diffie–Hellman problem and can be used in many of the same cryptographic constructions that are based on the Diffie–Hellman problem. Moreover, the twin Diffie–Hellman problem is at least as hard as the ordinary Diffie–Hellman problem. However, we are able to show that the twin Diffie–Hellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem—this is a feature not enjoyed by the Diffie–Hellman problem, in general. Specifically, we show how to build a certain “trapdoor test” that allows us to effectively answer decision oracle queries for the twin Diffie–Hellman problem without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary Diffie–Hellman problem is hard. We present several other applications as well, including a new variant of Diffie and Hellman’s non-interactive key exchange protocol; a new variant of Cramer–Shoup encryption, with a very simple proof in the standard model; a new variant of Boneh–Franklin identity-based encryption, with very short ciphertexts; a more robust version of a password-authenticated key exchange protocol of Abdalla and Pointcheval.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
M. Abdalla, D. Pointcheval, Simple password-based encrypted key exchange protocols, in CT-RSA 2005, ed. by A. Menezes. LNCS, vol. 3376 (Springer, Berlin, 2005), pp. 191–208
M. Abdalla, M. Bellare, P. Rogaway, The oracle Diffie–Hellman assumptions and an analysis of DHIES, in CT-RSA 2001, ed. by D. Naccache. LNCS, vol. 2020 (Springer, Berlin, 2001), pp. 143–158
J. Baek, B. Lee, K. Kim, Secure length-saving ElGamal encryption under the computational Diffie–Hellman assumption, in ACISP 2000 (2000), pp. 49–58
D. Boneh, X. Boyen, Efficient selective-ID secure identity based encryption without random oracles, in EUROCRYPT 2004, ed. by C. Cachin, J. Camenisch. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 223–238
D. Boneh, X. Boyen, Short signatures without random oracles, in EUROCRYPT 2004, ed. by C. Cachin, J. Camenisch. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 56–73
D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing, in CRYPTO 2001, ed. by J. Kilian. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 213–229
X. Boyen, Miniature CCA2 PK encryption: Tight security without redundancy, in Advances in Cryptology—ASIACRYPT 2007. LNCS, vol. 4833 (Springer, Berlin, 2007), pp. 485–501
X. Boyen, Q. Mei, B. Waters, Direct chosen ciphertext security from identity-based techniques, in ACM CCS 05 (ACM Press, New York, 2005), pp. 320–329
J.-S. Coron, H. Handschuh, M. Joye, P. Paillier, D. Pointcheval, C. Tymen, GEM: A generic chosen-ciphertext secure encryption method, in CT-RSA 2002, ed. by B. Preneel. LNCS, vol. 2271 (Springer, Berlin, 2002), pp. 263–276
R. Cramer, V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, in CRYPTO’98, ed. by H. Krawczyk. LNCS, vol. 1462 (Springer, Berlin, 1998), pp. 13–25
R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
W. Diffie, M.E. Hellman, New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
E. Fujisaki, T. Okamoto, Secure integration of asymmetric and symmetric encryption schemes, in CRYPTO’99, ed. by M.J. Wiener. LNCS, vol. 1666 (Springer, Berlin, 1999), pp. 537–554
R. Gennaro, H. Krawczyk, T. Rabin, Secure hashed Diffie–Hellman over non-DDH groups, in EUROCRYPT 2004, ed. by C. Cachin, J. Camenisch. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 361–381
C. Gentry, P. MacKenzie, Z. Ramzan, A method for making password-based key exchange resilient to server compromise, in CRYPTO 2006, ed. by C. Dwork. LNCS (Springer, Berlin, 2006), pp. 142–159
O. Goldreich, Foundations of Cryptography: Basic Tools, vol. 1 (Cambridge University Press, Cambridge, 2001)
O. Goldreich, L.A. Levin, A hard-core predicate for all one-way functions, in 21st ACM STOC (ACM Press, New York, 1989), pp. 25–32
S. Halevi, EME*: Extending EME to handle arbitrary-length messages with associated data, in INDOCRYPT 2004, ed. by A. Canteaut, K. Viswanathan. LNCS, vol. 3348 (Springer, Berlin, 2004), pp. 315–327
S. Halevi, P. Rogaway, A tweakable enciphering mode, in CRYPTO 2003, ed. by D. Boneh. LNCS, vol. 2729 (Springer, Berlin, 2003), pp. 482–499
S. Halevi, P. Rogaway, A parallelizable enciphering mode, in CT-RSA 2004, ed. by T. Okamoto. LNCS, vol. 2964 (Springer, Berlin, 2004), pp. 292–304
G. Hanaoka, K. Kurosawa, Efficient chosen ciphertext secure public key encryption under the computational Diffie–Hellman assumption, in ASIACRYPT, 2008, pp. 308–325
D. Hofheinz, E. Kiltz, Secure hybrid encryption from weakened key encapsulation, in Advances in Cryptology, Proceedings of CRYPTO 2007, ed. by A. Menezes. LNCS (Springer, Berlin, 2007), pp. 553–571. Full version available from http://eprint.iacr.org/2007/288
C. Kudla, K.G. Paterson, Modular security proofs for key agreement protocols, in ASIACRYPT 2005, ed. by B.K. Roy. LNCS, vol. 3788 (Springer, Berlin, 2005), pp. 549–565
K. Kurosawa, T. Matsuo, How to remove MAC from DHIES, in ACISP 2004 (2004), pp. 236–247
B. Libert, J.-J. Quisquater, Identity based encryption without redundancy, in ACNS 05, ed. by J. Ioannidis, A. Keromytis, M. Yung. LNCS, vol. 3531 (Springer, Berlin, 2005), pp. 285–300
U.M. Maurer, S. Wolf, Diffie–Hellman oracles, in CRYPTO’96, ed. by N. Koblitz. LNCS, vol. 1109 (Springer, Berlin, 1996), pp. 268–282
A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography, The CRC Press Series on Discrete Mathematics and Its Applications (CRC Press, Boca Raton, 1997)
T. Okamoto, D. Pointcheval, The gap-problems: A new class of problems for the security of cryptographic schemes, in PKC 2001, ed. by K. Kim. LNCS, vol. 1992 (Springer, Berlin, 2001), pp. 104–118
T. Okamoto, D. Pointcheval, REACT: Rapid enhanced-security asymmetric cryptosystem transform, in CT-RSA 2001, ed. by D. Naccache. LNCS, vol. 2020 (Springer, Berlin, 2001), pp. 159–175
D.H. Phan, D. Pointcheval, About the security of ciphers (semantic security and pseudo-random permutations), in SAC 2004, ed. by H. Handschuh, A. Hasan. LNCS, vol. 3357 (Springer, Berlin, 2004), pp. 182–197
R. Sakai, M. Kasahara, ID based cryptosystems with pairing on elliptic curve. Cryptology ePrint Archive, Report 2003/054, 2003. http://eprint.iacr.org/
V. Shoup, Lower bounds for discrete logarithms and related problems, in EUROCRYPT’97, ed. by W. Fumy. LNCS, vol. 1233 (Springer, Berlin, 1997), pp. 256–266
R. Steinfeld, J. Baek, Y. Zheng, On the necessity of strong assumptions for the security of a class of asymmetric encryption schemes, in ACISP 2002. LNCS, vol. 2384 (Springer, Berlin, 2002), pp. 241–256
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Nigel P. Smart
This paper was solicted by the Editors-in-Chief as one of the best papers from EUROCRYPT 2008, based on the recommendation of the program committee.
Part of this work completed while at CWI.
Supported by the research program Sentinels.
Supported by NSF award number CNS-0716690.
Rights and permissions
About this article
Cite this article
Cash, D., Kiltz, E. & Shoup, V. The Twin Diffie–Hellman Problem and Applications. J Cryptol 22, 470–504 (2009). https://doi.org/10.1007/s00145-009-9041-6
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-009-9041-6