XDH Assumption
   HOME

TheInfoList



Click Here for Items Related To - XDH Assumption
OR:
XDH Assumption on:   [Wikipedia]   [Google]   [Amazon]

The external Diffie–Hellman (XDH) assumption is a
computational hardness assumption In computational complexity theory, a computational hardness assumption is the hypothesis that a particular problem cannot be solved efficiently (where ''efficiently'' typically means "in polynomial time"). It is not known how to prove (unconditi ...
used in
elliptic curve cryptography Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys to provide equivalent security, compared to cryptosystems based on modula ...
. The XDH assumption holds if there exist certain
subgroup In group theory, a branch of mathematics, a subset of a group G is a subgroup of G if the members of that subset form a group with respect to the group operation in G. Formally, given a group (mathematics), group under a binary operation  ...
s of elliptic curves which have useful properties for cryptography. Specifically, XDH implies the existence of two distinct groups \langle_1, _2\rangle with the following properties: # The
discrete logarithm problem In mathematics, for given real numbers a and b, the logarithm \log_b(a) is a number x such that b^x=a. Analogously, in any group G, powers b^k can be defined for all integers k, and the discrete logarithm \log_b(a) is an integer k such that b^k=a ...
(DLP), the computational Diffie–Hellman problem (CDH), and the computational co-Diffie–Hellman problem are all intractable in _1 and _2. # There exists an efficiently computable
bilinear map In mathematics, a bilinear map is a function combining elements of two vector spaces to yield an element of a third vector space, and is linear in each of its arguments. Matrix multiplication is an example. A bilinear map can also be defined for ...
(pairing) e(\cdot, \cdot) : _1 \times _2 \rightarrow _T. # The decisional Diffie–Hellman problem (DDH) is intractable in _1. The above formulation is referred to as asymmetric XDH. A stronger version of the assumption (symmetric XDH, or SXDH) holds if DDH is ''also'' intractable in _2. The XDH assumption is used in some pairing-based cryptographic protocols. In certain elliptic curve subgroups, the existence of an efficiently-computable
bilinear map In mathematics, a bilinear map is a function combining elements of two vector spaces to yield an element of a third vector space, and is linear in each of its arguments. Matrix multiplication is an example. A bilinear map can also be defined for ...
(pairing) can allow for practical solutions to the DDH problem. These groups, referred to as gap Diffie–Hellman (GDH) groups, facilitate a variety of novel cryptographic protocols, including tri-partite key exchange, identity based encryption, and
secret handshakes A secret handshake is a distinct form of handshake or greeting which indicates membership in or loyalty to a Club (organization), club, clique or subculture. The typical secret handshake involves placing one's fingers or thumbs in a particular p ...
(to name a few). However, the ease of computing DDH within a GDH group can also be an obstacle when constructing cryptosystems; for example, it is not possible to use DDH-based cryptosystems such as
ElGamal In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1985. ElGamal encryption is used in th ...
within a GDH group. Because the DDH assumption holds within at least one of a pair of XDH groups, these groups can be used to construct pairing-based protocols which allow for ElGamal-style encryption and other novel cryptographic techniques. In practice, it is believed that the XDH assumption may hold in certain subgroups of MNT elliptic curves. This notion was first proposed by Scott (2002), and later by Boneh, Boyen and Shacham (2002) as a means to improve the efficiency of a signature scheme. The assumption was formally defined by Ballard, Green, de Medeiros and Monrose (2005), and full details of a proposed implementation were advanced in that work. Evidence for the validity of this assumption is the proof by Verheul (2001) and Galbraith and Rotger (2004) of the non-existence of distortion maps in two specific elliptic curve subgroups which possess an efficiently computable pairing. As pairings and distortion maps are currently the only known means to solve the DDH problem in elliptic curve groups, it is believed that the DDH assumption therefore holds in these subgroups, while pairings are still feasible between elements in distinct groups.


References

# Mike Scott. Authenticated ID-based exchange and remote log-in with simple token and PIN. E-print archive (2002/164), 2002.
pdf file
# Dan Boneh, Xavier Boyen, Hovav Shacham. Short Group Signatures. CRYPTO 2004.
pdf file
# Lucas Ballard, Matthew Green, Breno de Medeiros, Fabian Monrose. Correlation-Resistant Storage via Keyword-Searchable Encryption. E-print archive (2005/417), 2005.
pdf file
# Steven D Galbraith, Victor Rotger. Easy Decision Diffie–Hellman Groups. LMS Journal of Computation and Mathematics, August 2004.

# E.R. Verheul, Evidence that XTR is more secure than supersingular elliptic curve cryptosystems, in B. Pfitzmann (ed.) EUROCRYPT 2001, Springer LNCS 2045 (2001) 195–210

{{Computational hardness assumptions Computational hardness assumptions Elliptic curve cryptography Pairing-based cryptography