Decisional Diffie-Hellman assumption

From Wikipedia, the free encyclopedia

The decisional Diffie-Hellman (DDH) assumption is the assumption that a certain computational problem within a cyclic group is hard.

Consider a cyclic group $G$ of order $q$ . The DDH assumption states that, given $(g, g a, g b)$ for a randomly-chosen generator $g$ and random $a,b \in \{0, \ldots, q-1\}$ , the value $g a b$ "looks like" a perfectly random element of $G$ .

This intuitive notion is formally stated by saying that the following two ensembles are computationally indistinguishable:

$(g, g a, g b, g a b)$ , where $g, a, b$ are chosen at random as described above (this input is called a "DDH tuple");
$(g, g a, g b, g c)$ , where $g, a, b$ are chosen at random and $c$ is chosen at random from $\{0, \ldots, q-1\}$ .

Note that, in the second ensemble, the value $g c$ is a random element of $G$ (independent of $g$ , and of course $g a, g b$ ) because $g$ is a generator.

The semantic security of ElGamal encryption is equivalent to the DDH assumption.

The DDH assumption is related to the discrete log assumption. If taking discrete logs in $G$ were easy, then the DDH assumption would be false: given $(g, g a, g b, z)$ , one could efficiently decide whether $z = g a b$ in the following way:

compute $a$ by taking the discrete log of $g a$ ;
compute $g a b$ by exponentiation: $g a b = (g b) a$ ;
compare $g a b$ to z.

It is believed that DDH is a stronger assumption than discrete log, in the following sense: there are groups for which detecting DDH tuples is easy, but computing discrete logs is believed to be hard.

The DDH assumption is also related to the computational Diffie-Hellman assumption (CDH). If computing $g a b$ from $(g, g a, g b)$ were easy, then one could detect DDH tuples in a manner similar to the above algorithm. It is believed that DDH is a stronger assumption than CDH: there are groups for which detecting DDH tuples is easy, but computing the Diffie-Hellman value $g a b$ is believed to be hard. Or put in another way; DDH is stronger because there are fewer groups in which DDH holds than in which CDH holds.

The problem of detecting DDH tuples is random self-reducible, meaning, roughly, that if it is hard for even a small fraction of inputs, it is hard for almost all inputs; if it is easy for even a small fraction of inputs, it is easy for almost all inputs.

[edit] See also

[edit] References

Dan Boneh, The Decision Diffie-Hellman Problem, ANTS 1998, pp. 48–63 [1].

Retrieved from "http://en.wikipedia.org../../../d/e/c/Decisional_Diffie-Hellman_assumption_bb4c.html"

Category: Asymmetric-key cryptosystems

Decisional Diffie-Hellman assumption

From Wikipedia, the free encyclopedia

[edit] See also

[edit] References

Views

Navigation

Search