Computational Diffie–Hellman assumption

The computational Diffie–Hellman (CDH assumption) is the assumption that a certain computational problem within a cyclic group is hard.

Consider a cyclic group G of order q. The CDH assumption states that, given

(g,g^a,g^b) \,

for a randomly-chosen generator g and random

a,b \in \{0, \ldots, q-1\},\,

it is computationally intractable to compute the value

g^{ab}. \,

The security of many cryptosystems is based on the CDH assumption, including notably the Diffie–Hellman key agreement scheme. Also, the confidentiality of ElGamal encryption is equivalent to the CDH assumption (though the semantic security of the scheme is based on the decisional Diffie–Hellman assumption).

The CDH assumption is related to the discrete logarithm assumption, which holds that computing the discrete logarithm of a value base a generator g is hard. If taking discrete logs in {\mathbb G} were easy, then the CDH assumption would be false: given

(g,g^a,g^b), \,

one could efficiently compute g^{ab} in the following way:

It is an open problem to determine whether the discrete log assumption is equivalent to CDH, though in certain special cases this can be shown to be the case.

The CDH assumption is also related to the decisional Diffie–Hellman assumption (DDH), which holds that it is hard to distinguish tuples of the form (g,g^a,g^b,g^{ab}) from random tuples. If computing g^{ab} from (g,g^a,g^b) were easy, then one could detect DDH tuples trivially. It is believed that CDH is a weaker assumption than DDH: there are groups for which detecting DDH tuples is easy, but solving CDH problems is believed to be hard.

See also

References

  1. Variations of the Diffie–Hellman Problem (pdf file)
  2. Towards the Equivalence of Breaking the Diffie–Hellman Protocol and Computing Discrete Logarithms (pdf file)