Secure Hashed Diffie-Hellman over Non-DDH Groups
The Diffie-Hellman (DH) transform is a basic cryptographic primitive used in innumerable cryptographic applications, most prominently in discrete-log based encryption schemes and in the Diffie-Hellman key exchange. In many of these applications it has been recognized that the direct use of the DH output, even over groups that satisfy the strong Decisional Diffie-Hellman (DDH) assumption, may be insecure. This is the case when the application invoking the DH transform requires a value that is pseudo-randomly distributed over a set of strings of some length rather than over the DH group in use. A well-known and general solution is to hash (using a universal hash family) the DH output; we refer to this practice as the “hashed DH transform”.
The question that we investigate in this paper is to what extent the DDH assumption is required when applying the hashed DH transform. We show that one can obtain a secure hashed DH transform over a non-DDH group G (i.e., a group in which the DDH assumption does not hold); indeed, we prove that for the hashed DH transform to be secure it suffices that G contain a sufficiently large DDH subgroup. As an application of this result, we show that the hashed DH transform is secure over Z p * for random prime p, provided that the DDH assumption holds over the large prime-order subgroups of Z p *. In particular, we obtain the same security working directly over Z p * as working over prime-order subgroups, without requiring any knowledge of the prime factorization of p-1 and without even having to find a generator of Z p *.
Further contributions of the paper to the study of the DDH assumption include: the introduction of a DDH relaxation, via computational entropy, which we call the “t-DDH assumption” and which plays a central role in obtaining the above results; a characterization of DDH groups in terms of their DDH subgroups; and the analysis of of the DDH (and t-DDH) assumptions when using short exponents.
KeywordsHash Function Prime Order Probability Ensemble Universal Hash Function Secure Hash
- [Bra93]Brands, S.: An Efficient Off-Line Electronic Cash System Based on the Representation Problem. TR CS-R9323, CWI, Holland (1993)Google Scholar
- [CS98]Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provable Secure Against Adaptive Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
- [GHKR04]Gennaro, R., Hastad, J., Krawczyk, H., Rabin, T.: Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC modes (2004) (manuscript)Google Scholar
- [GKR04]Gennaro, R., Krawczyk, H., Rabin, T.: Secure Hashed Diffie-Hellman over Non-DDH Groups. Full version, available at http://eprint.iacr.org/2004/
- [LL97]Lim, C.H., Lee, P.J.: A Key Recovery Attack on Discrete Log-Based Schemes Using a Prime Order Subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997)Google Scholar
- [NR97]Naor, M., Reingold, O.: Number-theoretic Constructions of Efficient Pseudorandom Functions. In: Proc. 38th FOCS, pp. 458–467. IEEE, Los Alamitos (1997)Google Scholar
- [PS98]Patel, S., Sundaram, G.: An Efficient Discrete Log Pseudo Random Generator. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 304–317. Springer, Heidelberg (1998)Google Scholar
- [RFC2409]Harkins, D., Carrel, D.: RFC2409. The Internet Key Exchange (IKE) (November 1998)Google Scholar
- [Sta96]Stadler, M.: Publicly Verifiable Secret sharing. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 190–199. Springer, Heidelberg (1996)Google Scholar
- [vOW96]van Oorschot, P.C., Wiener, M.: On Diffie-Helman Key Agreement with Short Exponents. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 332–343. Springer, Heidelberg (1996)Google Scholar