Hidden Pairings and Trapdoor DDH Groups

  • Alexander W. Dent
  • Steven D. Galbraith
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4076)


This paper suggests a new building block for cryptographic protocols and gives two instantiations of it. The concept is to generate two descriptions of the same group: a public description that allows a user to perform group operations, and a private description that allows a user to also compute a bilinear pairing on the group. A user who has the private information can therefore solve decisional Diffie-Hellman (DDH) problems, and potentially also discrete logarithm problems. Some cryptographic applications of this idea are given.

Both instantiations are based on elliptic curves. The first relies on the factoring assumption for hiding the pairing. The second relies on the difficulty of solving a system of multivariate equations. The second method also potentially gives rise to a practical trapdoor discrete logarithm system.


Elliptic Curve Elliptic Curf Discrete Logarithm Discrete Logarithm Problem Random Oracle Model 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Blake, I., Seroussi, G., Smart, N.P.: Advances in elliptic curve cryptography, Cambridge (2005)Google Scholar
  2. 2.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Boneh, D.: Personal communication (July 1, 2005)Google Scholar
  4. 4.
    Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing 33(1), 167–226 (2004)CrossRefMathSciNetGoogle Scholar
  6. 6.
    Demytko, N.: A new elliptic curve based analogue of RSA. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 40–49. Springer, Heidelberg (1994)Google Scholar
  7. 7.
    Frey, G.: How to disguise an elliptic curve (Weil descent), Talk at ECC, Slides (1998), Available from: http://www.cacr.math.uwaterloo.ca/conferences/1998/ecc98/frey.ps
  8. 8.
    Frey, G., Rück, H.-G.: A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comp. 62(206), 865–874 (1994)MATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Galbraith, S.D., McKee, J.F.: Pairings on elliptic curves over finite commutative rings. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 392–409. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Galbraith, S.D.: Disguising tori and elliptic curves (preprint, 2006)Google Scholar
  11. 11.
    Gordon, D.M.: Designing and detecting trapdoors for discrete log cryptosystems. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 66–75. Springer, Heidelberg (1993)Google Scholar
  12. 12.
    Hühnlein, D., Jacobson, M.J., Weber, D.: Towards practical non-interactive public key cryptosystems using non-maximal imaginary quadratic orders. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 275–297. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Joux, A., Nguyen, K.: Separating Decision Diffie–Hellman from Diffie–Hellman in cryptographic groups. J. Crypt. 16, 239–248 (2003)MATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Joux, A., Lercier, R.: Discrete logarithms in GF(2607) and GF(2613), posting to the Number Theory Mailing List (September 23, 2005)Google Scholar
  15. 15.
    Lenstra Jr., H.W.: Factoring integers with elliptic curves. Annals of Mathematics 126, 649–673 (1987)CrossRefMathSciNetGoogle Scholar
  16. 16.
    Lenstra Jr., H.W.: Elliptic curves and number theoretic algorithms. In: Proc. International Congr. Math., Berkeley 1986, pp. 99–120. AMS (1988)Google Scholar
  17. 17.
    Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993)MATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Naccache, D., Stern, J.: A new public-key cryptosystem based on higher residues. In: ACM Conference on Computer and Communications Security, pp. 59–66 (1998)Google Scholar
  19. 19.
    Okamoto, T., Uchiyama, S.: A new public key cryptosystem as secure as factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 308–318. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  20. 20.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  21. 21.
    Rivest, R.L.: Homework 4 of course 6.897 “Selected Topics in Cryptography” (May 2004), http://theory.lcs.mit.edu/classes/6.897/spring04/hw4.txt
  22. 22.
    Teske, E.: An elliptic curve trapdoor scheme. J. Crypt. 19, 115–133 (2006)MATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Thomé, E.: Computation of discrete logarithms in GF(2607). In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 107–124. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Thomé, E.: Personal communication (January 9, 2006)Google Scholar
  25. 25.
    Vanstone, S., Zuccherato, R.J.: Elliptic curve cryptosystem using curves of smooth order over the ring Zn. IEEE Trans. Inf. Theory 43(4), 1231–1237 (1997)MATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Alexander W. Dent
    • 1
  • Steven D. Galbraith
    • 1
  1. 1.Information Security GroupSurreyUK

Personalised recommendations