Secure Hashed Diffie-Hellman over Non-DDH Groups

  • Rosario Gennaro
  • Hugo Krawczyk
  • Tal Rabin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3027)


The Diffie-Hellman (DH) transform is a basic cryptographic primitive used in innumerable cryptographic applications, most prominently in discrete-log based encryption schemes and in the Diffie-Hellman key exchange. In many of these applications it has been recognized that the direct use of the DH output, even over groups that satisfy the strong Decisional Diffie-Hellman (DDH) assumption, may be insecure. This is the case when the application invoking the DH transform requires a value that is pseudo-randomly distributed over a set of strings of some length rather than over the DH group in use. A well-known and general solution is to hash (using a universal hash family) the DH output; we refer to this practice as the “hashed DH transform”.

The question that we investigate in this paper is to what extent the DDH assumption is required when applying the hashed DH transform. We show that one can obtain a secure hashed DH transform over a non-DDH group G (i.e., a group in which the DDH assumption does not hold); indeed, we prove that for the hashed DH transform to be secure it suffices that G contain a sufficiently large DDH subgroup. As an application of this result, we show that the hashed DH transform is secure over Z p * for random prime p, provided that the DDH assumption holds over the large prime-order subgroups of Z p *. In particular, we obtain the same security working directly over Z p * as working over prime-order subgroups, without requiring any knowledge of the prime factorization of p-1 and without even having to find a generator of Z p *.

Further contributions of the paper to the study of the DDH assumption include: the introduction of a DDH relaxation, via computational entropy, which we call the “t-DDH assumption” and which plays a central role in obtaining the above results; a characterization of DDH groups in terms of their DDH subgroups; and the analysis of of the DDH (and t-DDH) assumptions when using short exponents.


Hash Function Prime Order Probability Ensemble Universal Hash Function Secure Hash 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [ABR01]
    Abdalla, M., Bellare, M., Rogaway, P.: DHIES: An Encryption Scheme Based on the Diffie-hellman Problem. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. [BJN00]
    Boneh, D., Joux, A., Nguyen, P.: Why Textbook ElGamal and RSA Encryption are Insecure. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 30–44. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. [Bon98]
    Boneh, D.: The Decision Diffie-Hellman Problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. [Bra93]
    Brands, S.: An Efficient Off-Line Electronic Cash System Based on the Representation Problem. TR CS-R9323, CWI, Holland (1993)Google Scholar
  5. [CW79]
    Carter, L., Wegman, M.N.: Universal Classes of Hash Functions. JCSS 18(2), 143–154 (1979)zbMATHMathSciNetGoogle Scholar
  6. [CS98]
    Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provable Secure Against Adaptive Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
  7. [DH76]
    Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  8. [ElG85]
    ElGamal, T.: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Trans. Info. Theory, IT 31, 469–472 (1985)zbMATHCrossRefMathSciNetGoogle Scholar
  9. [Gen00]
    Gennaro, R.: An Improved Pseudo Random Generator Based on Discrete Log. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 469–481. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. [GHKR04]
    Gennaro, R., Hastad, J., Krawczyk, H., Rabin, T.: Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC modes (2004) (manuscript)Google Scholar
  11. [GKR04]
    Gennaro, R., Krawczyk, H., Rabin, T.: Secure Hashed Diffie-Hellman over Non-DDH Groups. Full version, available at
  12. [GM84]
    Goldwasser, S., Micali, S.: Probabilistic Encryption. JCSS 28(2), 270–299 (1984)zbMATHMathSciNetGoogle Scholar
  13. [HILL99]
    Hastad, J., Impagliazzo, R., Levin, L., Luby, M.: Construction of a Pseudo-random Generator from any One-way Function. SIAM. J. Computing 28(4), 1364–1396 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  14. [Kra03]
    Krawczyk, H.: SIGMA: The ‘SiGn-and-MAc’ Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003), CrossRefGoogle Scholar
  15. [LL97]
    Lim, C.H., Lee, P.J.: A Key Recovery Attack on Discrete Log-Based Schemes Using a Prime Order Subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997)Google Scholar
  16. [Lub96]
    Luby, M.: Pseudorandomness and Cryptographic Applications. Princeton Computer Science Note. Princeton University Press, Princeton (January 1996)zbMATHGoogle Scholar
  17. [NR97]
    Naor, M., Reingold, O.: Number-theoretic Constructions of Efficient Pseudorandom Functions. In: Proc. 38th FOCS, pp. 458–467. IEEE, Los Alamitos (1997)Google Scholar
  18. [PS98]
    Patel, S., Sundaram, G.: An Efficient Discrete Log Pseudo Random Generator. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 304–317. Springer, Heidelberg (1998)Google Scholar
  19. [RFC2409]
    Harkins, D., Carrel, D.: RFC2409. The Internet Key Exchange (IKE) (November 1998)Google Scholar
  20. [Sta96]
    Stadler, M.: Publicly Verifiable Secret sharing. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 190–199. Springer, Heidelberg (1996)Google Scholar
  21. [vOW96]
    van Oorschot, P.C., Wiener, M.: On Diffie-Helman Key Agreement with Short Exponents. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 332–343. Springer, Heidelberg (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Rosario Gennaro
    • 1
  • Hugo Krawczyk
    • 2
    • 3
  • Tal Rabin
    • 1
  1. 1.IBM T.J.Watson Research CenterYorktown HeightsUSA
  2. 2.Department of Electrical EngineeringTechnionHaifaIsrael
  3. 3.IBM T.J. Watson Research CenterNew YorkUSA

Personalised recommendations