Journal of Cryptology

, Volume 30, Issue 1, pp 242–288 | Cite as

An Algebraic Framework for Diffie–Hellman Assumptions

  • Alex Escala
  • Gottfried Herold
  • Eike Kiltz
  • Carla Ràfols
  • Jorge Villar
Article

Abstract

We put forward a new algebraic framework to generalize and analyze Diffie–Hellman like decisional assumptions which allows us to argue about security and applications by considering only algebraic properties. Our \(\mathcal {D}_{\ell ,k}\text{- }\textsf {MDDH}\) Assumption states that it is hard to decide whether a vector in \(\mathbb {G}^\ell \) is linearly dependent of the columns of some matrix in \(\mathbb {G}^{\ell \times k}\) sampled according to distribution \(\mathcal {D}_{\ell ,k}\). It covers known assumptions such as \(\textsf {DDH},\, 2\text{- }\textsf {Lin}\) (Linear Assumption) and \(k\text{- }\textsf {Lin}\) (the k-Linear Assumption). Using our algebraic viewpoint, we can relate the generic hardness of our assumptions in m-linear groups to the irreducibility of certain polynomials which describe the output of \(\mathcal {D}_{\ell ,k}\). We use the hardness results to find new distributions for which the \(\mathcal {D}_{\ell ,k}\text{- }\textsf {MDDH}\) Assumption holds generically in m-linear groups. In particular, our new assumptions \(2\text{- }\textsf {SCasc}\) and \(2\text{- }\textsf {ILin}\) are generically hard in bilinear groups and, compared to \(2\text{- }\textsf {Lin}\), have shorter description size, which is a relevant parameter for efficiency in many applications. These results support using our new assumptions as natural replacements for the \(2\text{- }\textsf {Lin}\) assumption which was already used in a large number of applications. To illustrate the conceptual advantages of our algebraic framework, we construct several fundamental primitives based on any \(\textsf {MDDH}\) Assumption. In particular, we can give many instantiations of a primitive in a compact way, including public-key encryption, hash proof systems, pseudo-random functions, and Groth–Sahai NIZK and NIWI proofs. As an independent contribution, we give more efficient NIZK and NIWI proofs for membership in a subgroup of \(\mathbb {G}^\ell \). The results imply very significant efficiency improvements for a large number of schemes.

Keywords

Diffie–Hellman assumption Generic hardness Groth–Sahai proofs Hash proof systems Public-key encryption 

References

  1. 1.
    O. Blazy, D. Pointcheval, and D. Vergnaud, Round-optimal privacy-preserving protocols with smooth projective hash functions. In R. Cramer, editor, TCC 2012, vol. 7194 of LNCS, pp. 94–111, Taormina, Sicily, Italy, March 19–21, 2012. Springer, Berlin, GermanyGoogle Scholar
  2. 2.
    D. Boneh, X. Boyen, and E.-J. Goh, Hierarchical identity based encryption with constant size ciphertext. In R. Cramer, editor, EUROCRYPT 2005, vol. 3494 of LNCS, pp. 440–456, Aarhus, Denmark, May 22–26, 2005. Springer, Berlin, GermanyGoogle Scholar
  3. 3.
    D. Boneh, X. Boyen, and H. Shacham, Short group signatures. In M. Franklin, editor, CRYPTO 2004, vol. 3152 of LNCS, pp. 41–55, Santa Barbara, CA, USA, Aug. 15–19, 2004. Springer, Berlin, GermanyGoogle Scholar
  4. 4.
    D. Boneh and M. K. Franklin, Identity-based encryption from the Weil pairing. In J. Kilian, editor, CRYPTO 2001, vol. 2139 of LNCS, pp. 213–229, Santa Barbara, CA, USA, Aug. 19–23, 2001. Springer, Berlin, GermanyGoogle Scholar
  5. 5.
    D. Boneh, S. Halevi, M. Hamburg, and R. Ostrovsky, Circular-secure encryption from decision Diffie–Hellman. In D. Wagner, editor, CRYPTO 2008, vol. 5157 of LNCS, pp. 108–125, Santa Barbara, CA, USA, Aug. 17–21, 2008. Springer, Berlin, GermanyGoogle Scholar
  6. 6.
    D. Boneh, H. W. Montgomery, and A. Raghunathan, Algebraic pseudorandom functions with improved efficiency from the augmented cascade. In E. Al-Shaer, A. D. Keromytis, and V. Shmatikov, editors, ACM CCS 10, pp. 131–140, Chicago, Illinois, USA, Oct. 4–8, 2010. ACM PressGoogle Scholar
  7. 7.
    D. Boneh, A. Sahai, and B. Waters, Fully collusion resistant traitor tracing with short ciphertexts and private keys. In S. Vaudenay, editor, EUROCRYPT 2006, vol. 4004 of LNCS, pp. 573–592, St. Petersburg, Russia, May 28–June 1, 2006. Springer, Berlin, GermanyGoogle Scholar
  8. 8.
    D. Boneh and A. Silverberg, Applications of multilinear forms to cryptography. Contemporary Mathematics, 324:71–90, 2003Google Scholar
  9. 9.
    X. Boyen, The uber-assumption family (invited talk). In S. D. Galbraith and K. G. Paterson, editors, PAIRING 2008, vol. 5209 of LNCS, pp. 39–56, Egham, UK, Sept. 1–3, 2008. Springer, Berlin, GermanyGoogle Scholar
  10. 10.
    J. Camenisch, N. Chandran, and V. Shoup, A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In A. Joux, editor, EUROCRYPT 2009, vol. 5479 of LNCS, pp. 351–368, Cologne, Germany, April 26–30, 2009. Springer, Berlin, GermanyGoogle Scholar
  11. 11.
    D. Cox, J. Little, and D. O’Shea, Ideal, Varieties and Algorithms. Springer, second edition, 1996Google Scholar
  12. 12.
    R. Cramer and V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In H. Krawczyk, editor, CRYPTO’98, vol. 1462 of LNCS, pp. 13–25, Santa Barbara, CA, USA, Aug. 23–27, 1998. Springer, Berlin, GermanyGoogle Scholar
  13. 13.
    R. Cramer and V. Shoup, Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In L. R. Knudsen, editor, EUROCRYPT 2002, vol. 2332 of LNCS, pp. 45–64, Amsterdam, The Netherlands, April 28–May 2, 2002. Springer, Berlin, GermanyGoogle Scholar
  14. 14.
    R. Cramer and V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1):167–226, 2003Google Scholar
  15. 15.
    Y. Dodis, K. Haralambiev, A. López-Alt, and D. Wichs, Cryptography against continuous memory attacks. In 51st FOCS, pp. 511–520, Las Vegas, Nevada, USA, Oct. 23–26, 2010. IEEE Computer Society PressGoogle Scholar
  16. 16.
    A. Escala, G. Herold, E. Kiltz, C. Ràfols, and J. Villar, An algebraic framework for Diffie-Hellman assumptions. In R. Canetti and J. A. Garay, editors, CRYPTO 2013, Part II, vol. 8043 of LNCS, pp. 129–147, Santa Barbara, CA, USA, Aug. 18–22, 2013. Springer, Berlin, GermanyGoogle Scholar
  17. 17.
    M. Fischlin, B. Libert, and M. Manulis, Non-interactive and re-usable universally composable string commitments with adaptive security. In D. H. Lee and X. Wang, editors, ASIACRYPT 2011, vol. 7073 of LNCS, pp. 468–485, Seoul, South Korea, Dec. 4–8, 2011. Springer, Berlin, GermanyGoogle Scholar
  18. 18.
    D. M. Freeman, Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In H. Gilbert, editor, EUROCRYPT 2010, vol. 6110 of LNCS, pp. 44–61, French Riviera, May 30–June 3, 2010. Springer, Berlin, GermanyGoogle Scholar
  19. 19.
    D. Galindo, J. Herranz, and J. L. Villar, Identity-based encryption with master key-dependent message security and leakage-resilience. In S. Foresti, M. Yung, and F. Martinelli, editors, ESORICS 2012, vol. 7459 of LNCS, pp. 627–642, Pisa, Italy, Sept. 10–12, 2012. Springer, Berlin, GermanyGoogle Scholar
  20. 20.
    R. Gennaro and Y. Lindell, A framework for password-based authenticated key exchange. In E. Biham, editor, EUROCRYPT 2003, vol. 2656 of LNCS, pp. 524–543, Warsaw, Poland, May 4–8, 2003. Springer, Berlin, Germany. http://eprint.iacr.org/2003/032.ps.gz
  21. 21.
    J. Groth and A. Sahai, Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput., 41(5):1193–1232, 2012Google Scholar
  22. 22.
    D. Hofheinz and T. Jager, Tightly secure signatures and public-key encryption. In R. Safavi-Naini and R. Canetti, editors, CRYPTO 2012, vol. 7417 of LNCS, pp. 590–607, Santa Barbara, CA, USA, Aug. 19–23, 2012. Springer, Berlin, GermanyGoogle Scholar
  23. 23.
    D. Hofheinz and E. Kiltz, Secure hybrid encryption from weakened key encapsulation. In A. Menezes, editor, CRYPTO 2007, vol. 4622 of LNCS, pp. 553–571, Santa Barbara, CA, USA, Aug. 19–23, 2007. Springer, Berlin, GermanyGoogle Scholar
  24. 24.
    A. Joux, A one round protocol for tripartite Diffie–Hellman. Journal of Cryptology, 17(4):263–276, Sept. 2004Google Scholar
  25. 25.
    C. S. Jutla and A. Roy, Shorter quasi-adaptive NIZK proofs for linear subspaces. In K. Sako and P. Sarkar, editors, ASIACRYPT 2013, Part I, vol. 8269 of LNCS, pp. 1–20, Bangalore, India, Dec. 1–5, 2013. Springer, Berlin, GermanyGoogle Scholar
  26. 26.
    C. S. Jutla and A. Roy, Switching lemma for bilinear tests and constant-size NIZK proofs for linear subspaces. In J. A. Garay and R. Gennaro, editors, CRYPTO 2014, Part II, vol. 8617 of LNCS, pp. 295–312, Santa Barbara, CA, USA, Aug. 17–21, 2014. Springer, Berlin, GermanyGoogle Scholar
  27. 27.
    J. Katz and V. Vaikuntanathan, Round-optimal password-based authenticated key exchange. In Y. Ishai, editor, TCC 2011, vol. 6597 of LNCS, pp. 293–310, Providence, RI, USA, March 28–30, 2011. Springer, Berlin, GermanyGoogle Scholar
  28. 28.
    E. Kiltz, A tool box of cryptographic functions related to the Diffie-Hellman function. In C. P. Rangan and C. Ding, editors, INDOCRYPT 2001, vol. 2247 of LNCS, pp. 339–350, Chennai, India, Dec. 16–20, 2001. Springer, Berlin, GermanyGoogle Scholar
  29. 29.
    E. Kiltz, Chosen-ciphertext security from tag-based encryption. In S. Halevi and T. Rabin, editors, TCC 2006, vol. 3876 of LNCS, pp. 581–600, New York, NY, USA, March 4–7, 2006. Springer, Berlin, GermanyGoogle Scholar
  30. 30.
    E. Kiltz, K. Pietrzak, M. Stam, and M. Yung, A new randomness extraction paradigm for hybrid encryption. In A. Joux, editor, EUROCRYPT 2009, vol. 5479 of LNCS, pp. 590–609, Cologne, Germany, April 26–30, 2009. Springer, Berlin, GermanyGoogle Scholar
  31. 31.
    E. Kiltz and H. Wee, Quasi-adaptive NIZK for linear subspaces revisited. In E. Oswald and M. Fischlin, editors, EUROCRYPT 2015, Part II, vol. 9057 of LNCS, pp. 101–128, Sofia, Bulgaria, April 26–30, 2015. Springer, Berlin, GermanyGoogle Scholar
  32. 32.
    A. B. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption. In H. Gilbert, editor, EUROCRYPT 2010, vol. 6110 of LNCS, pp. 62–91, French Riviera, May 30–June 3, 2010. Springer, Berlin, GermanyGoogle Scholar
  33. 33.
    A. B. Lewko and B. Waters, Efficient pseudorandom functions from the decisional linear assumption and weaker variants. In E. Al-Shaer, S. Jha, and A. D. Keromytis, editors, ACM CCS 09, pp. 112–120, Chicago, Illinois, USA, Nov. 9–13, 2009. ACM PressGoogle Scholar
  34. 34.
    B. Libert, T. Peters, M. Joye, and M. Yung, Non-malleability from malleability: Simulation-sound quasi-adaptive NIZK proofs and CCA2-secure encryption from homomorphic signatures. In P. Q. Nguyen and E. Oswald, editors, EUROCRYPT 2014, vol. 8441 of LNCS, pp. 514–532, Copenhagen, Denmark, May 11–15, 2014. Springer, Berlin, GermanyGoogle Scholar
  35. 35.
    B. Libert and M. Yung, Non-interactive CCA-secure threshold cryptosystems with adaptive security: New framework and constructions. In R. Cramer, editor, TCC 2012, vol. 7194 of LNCS, pp. 75–93, Taormina, Sicily, Italy, March 19–21, 2012. Springer, Berlin, GermanyGoogle Scholar
  36. 36.
    S. Meiklejohn, H. Shacham, and D. M. Freeman, Limitations on transformations from composite-order to prime-order groups: The case of round-optimal blind signatures. In M. Abe, editor, ASIACRYPT 2010, vol. 6477 of LNCS, pp. 519–538, Singapore, Dec. 5–9, 2010. Springer, Berlin, GermanyGoogle Scholar
  37. 37.
    M. Naor and O. Reingold, Number-theoretic constructions of efficient pseudo-random functions. In 38th FOCS, pp. 458–467, Miami Beach, Florida, Oct. 19–22, 1997. IEEE Computer Society PressGoogle Scholar
  38. 38.
    M. Naor and G. Segev, Public-key cryptosystems resilient to key leakage. In S. Halevi, editor, CRYPTO 2009, vol. 5677 of LNCS, pp. 18–35, Santa Barbara, CA, USA, Aug. 16–20, 2009. Springer, Berlin, GermanyGoogle Scholar
  39. 39.
    M. Naor and M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks. In 22nd ACM STOC, pp. 427–437, Baltimore, Maryland, USA, May 14–16, 1990. ACM PressGoogle Scholar
  40. 40.
    T. Okamoto and K. Takashima, Fully secure functional encryption with general relations from the decisional linear assumption. In T. Rabin, editor, CRYPTO 2010, vol. 6223 of LNCS, pp. 191–208, Santa Barbara, CA, USA, Aug. 15–19, 2010. Springer, Berlin, GermanyGoogle Scholar
  41. 41.
    T. Okamoto and K. Takashima, Achieving short ciphertexts or short secret-keys for adaptively secure general inner-product encryption. In D. Lin, G. Tsudik, and X. Wang, editors, CANS 11, vol. 7092 of LNCS, pp. 138–159, Sanya, China, Dec. 10–12, 2011. Springer, Berlin, GermanyGoogle Scholar
  42. 42.
    T. Okamoto and K. Takashima, Fully secure unbounded inner-product and attribute-based encryption. In X. Wang and K. Sako, editors, ASIACRYPT 2012, vol. 7658 of LNCS, pp. 349–366, Beijing, China, Dec. 2–6, 2012. Springer, Berlin, GermanyGoogle Scholar
  43. 43.
    J. H. Seo, On the (im)possibility of projecting property in prime-order setting. In X. Wang and K. Sako, editors, ASIACRYPT 2012, vol. 7658 of LNCS, pp. 61–79, Beijing, China, Dec. 2–6, 2012. Springer, Berlin, GermanyGoogle Scholar
  44. 44.
    J. H. Seo and J. H, Cheon, Beyond the limitation of prime-order bilinear groups, and round optimal blind signatures. In R. Cramer, editor, TCC 2012, vol. 7194 of LNCS, pp. 133–150, Taormina, Sicily, Italy, March 19–21, 2012. Springer, Berlin, GermanyGoogle Scholar
  45. 45.
    H. Shacham, A cramer-shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074, 2007. http://eprint.iacr.org/
  46. 46.
    J. L. Villar, Optimal reductions of some decisional problems to the rank problem. In X. Wang and K. Sako, editors, ASIACRYPT 2012, vol. 7658 of LNCS, pp. 80–97, Beijing, China, Dec. 2–6, 2012. Springer, Berlin, GermanyGoogle Scholar
  47. 47.
    S. Wolf, Information-Theoretically and Computionally Secure Key Agreement in Cryptography. Ph.D. thesis, ETH Zuerich, 1999Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Alex Escala
    • 1
  • Gottfried Herold
    • 2
  • Eike Kiltz
    • 2
  • Carla Ràfols
    • 2
  • Jorge Villar
    • 1
  1. 1.Departament de Matemàtica Aplicada IVUniversitat Politècnica de CatalunyaBarcelonaSpain
  2. 2.Horst-Görtz Institute for IT Security and Faculty of MathematicsRuhr-Universität BochumBochumGermany

Personalised recommendations