Security analysis of the strong diffie-hellman problem
28 May 2006-pp 1-11
TL;DR: The complexity of recovering the secret key from O(\sqrt p) to O(sqrt d) for Boldyreva's blind signature and the original ElGamal scheme when p–1 has a divisor d ≤p1/2 and d signature or decryption queries are allowed is reduced.
Abstract: Let g be an element of prime order p in an abelian group and $\alpha\in {{\mathbb Z}}_p$. We show that if g, gα, and $g^{\alpha^d}$ are given for a positive divisor d of p–1, we can compute the secret α in $O(\log p \cdot (\sqrt{p/d}+\sqrt d))$ group operations using $O(\max\{\sqrt{p/d},\sqrt d\})$ memory. If $g^{\alpha^i}$ (i=0,1,2,..., d) are provided for a positive divisor d of p+1, α can be computed in $O(\log p \cdot (\sqrt{p/d}+d))$ group operations using $O(\max\{\sqrt{p/d},\sqrt d\})$ memory. This implies that the strong Diffie-Hellman problem and its related problems have computational complexity reduced by $O(\sqrt d)$ from that of the discrete logarithm problem for such primes.
Further we apply this algorithm to the schemes based on the Diffie-Hellman problem on an abelian group of prime order p. As a result, we reduce the complexity of recovering the secret key from $O(\sqrt p)$ to $O(\sqrt{p/d})$ for Boldyreva's blind signature and the original ElGamal scheme when p–1 (resp. p+1) has a divisor d ≤p1/2 (resp. d ≤p1/3) and d signature or decryption queries are allowed.
Citations
More filters
TL;DR: In this article, the authors describe a short signature scheme that is strongly existentially unforgeable under an adaptive chosen message attack in the standard security model, and give a tight reduction proving that their scheme is secure in any group in which the Strong Diffie-Hellman (SDH) assumption holds, without relying on the random oracle model.
Abstract: We describe a short signature scheme that is strongly existentially unforgeable under an adaptive chosen message attack in the standard security model. Our construction works in groups equipped with an efficient bilinear map, or, more generally, an algorithm for the Decision Diffie-Hellman problem. The security of our scheme depends on a new intractability assumption we call Strong Diffie-Hellman (SDH), by analogy to the Strong RSA assumption with which it shares many properties. Signature generation in our system is fast and the resulting signatures are as short as DSA signatures for comparable security. We give a tight reduction proving that our scheme is secure in any group in which the SDH assumption holds, without relying on the random oracle model.
577 citations
06 Mar 2011
TL;DR: This paper proposes the first key-policy attribute-based encryption schemes allowing for non-monotonic access structures (i.e., that may contain negated attributes) and with constant ciphertext size and describes a new efficient identity-based revocation mechanism that gives rise to the first truly expressive KP-ABE realization with constant-size ciphertexts.
Abstract: Attribute-based encryption (ABE), as introduced by Sahai and Waters, allows for fine-grained access control on encrypted data. In its key-policy flavor, the primitive enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that specify which ciphertexts the key holder will be allowed to decrypt. In most ABE systems, the ciphertext size grows linearly with the number of ciphertext attributes and the only known exceptions only support restricted forms of threshold access policies.
This paper proposes the first key-policy attribute-based encryption (KP-ABE) schemes allowing for non-monotonic access structures (i.e., that may contain negated attributes) and with constant ciphertext size. Towards achieving this goal, we first show that a certain class of identity-based broadcast encryption schemes generically yields monotonic KPABE systems in the selective set model. We then describe a new efficient identity-based revocation mechanism that, when combined with a particular instantiation of our general monotonic construction, gives rise to the first truly expressive KP-ABE realization with constant-size ciphertexts. The downside of these new constructions is that private keys have quadratic size in the number of attributes. On the other hand, they reduce the number of pairing evaluations to a constant, which appears to be a unique feature among expressive KP-ABE schemes.
395 citations
Cites background from "Security analysis of the strong dif..."
...In a stricter sense, one may want to also consider the compensation due to the attack on q-type assumptions by Cheon [17]....
[...]
05 Dec 2010
TL;DR: The polynomial commitment schemes are useful tools to reduce the communication cost in cryptographic protocols and are applied to four problems in cryptography: verifiable secret sharing, zero-knowledge sets, credentials and content extraction signatures.
Abstract: We introduce and formally define polynomial commitment schemes, and provide two efficient constructions. A polynomial commitment scheme allows a committer to commit to a polynomial with a short string that can be used by a verifier to confirm claimed evaluations of the committed polynomial. Although the homomorphic commitment schemes in the literature can be used to achieve this goal, the sizes of their commitments are linear in the degree of the committed polynomial. On the other hand, polynomial commitments in our schemes are of constant size (single elements). The overhead of opening a commitment is also constant; even opening multiple evaluations requires only a constant amount of communication overhead. Therefore, our schemes are useful tools to reduce the communication cost in cryptographic protocols. On that front, we apply our polynomial commitment schemes to four problems in cryptography: verifiable secret sharing, zero-knowledge sets, credentials and content extraction signatures.
381 citations
Additional excerpts
...See Cheon [14] for a security analysis....
[...]
14 Aug 2011
TL;DR: In this article, the problem of computing on large datasets that are stored on an untrusted server was studied, and the first practical verifiable computation scheme for high degree polynomial functions was presented.
Abstract: We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial functions. Such functions can be used, for example, to make predictions based on polynomials fitted to a large number of sample points in an experiment. In addition to the many noncryptographic applications of delegating high degree polynomials, we use our verifiable computation scheme to obtain new solutions for verifiable keyword search, and proofs of retrievability. Our constructions are based on the DDH assumption and its variants, and achieve adaptive security, which was left as an open problem by Gennaro et al (albeit for general functionalities).
Our second result is a primitive which we call a verifiable database (VDB). Here, a weak client outsources a large table to an untrusted server, and makes retrieval and update queries. For each query, the server provides a response and a proof that the response was computed correctly. The goal is to minimize the resources required by the client. This is made particularly challenging if the number of update queries is unbounded. We present a VDB scheme based on the hardness of the subgroup membership problem in composite order bilinear groups.
351 citations
20 Feb 2009
TL;DR: It is shown that the OPRF implies a new practical fully-simulatable adaptive adaptive (and committed) OT protocol secure without ROM and implies the first secure computation protocol of set intersection on committed data with computational cost of O (N ) exponentiations where N is the maximum size of both data sets.
Abstract: An Oblivious Pseudorandom Function (OPRF) [15] is a two-party protocol between sender S and receiver R for securely computing a pseudorandom function f k (·) on key k contributed by S and input x contributed by R , in such a way that receiver R learns only the value f k (x ) while sender S learns nothing from the interaction. In other words, an OPRF protocol for PRF f k (·) is a secure computation for functionality $\mathcal F_{\mathsf{OPRF}}:(k,x)\rightarrow(\perp,f_k(x))$.
We propose an OPRF protocol on committed inputs which requires only O (1) modular exponentiations, and has a constant number of communication rounds (two in ROM). Our protocol is secure in the CRS model under the Composite Decisional Residuosity (CDR) assumption, while the PRF itself is secure on a polynomially-sized domain under the Decisional q -Diffie-Hellman Inversion assumption on a group of composite order, where q is the size of the PRF domain, and it has a useful feature that f k is an injection for every k .
practical OPRF protocol for an injective PRF, even limited to a polynomially-sized domain, is a versatile tool with many uses in secure protocol design. We show that our OPRF implies a new practical fully-simulatable adaptive (and committed) OT protocol secure without ROM. In another example, this oblivious PRF construction implies the first secure computation protocol of set intersection on committed data with computational cost of O (N ) exponentiations where N is the maximum size of both data sets.
320 citations
Cites background from "Security analysis of the strong dif..."
...Consequently, by positive hardness results of [9, 13] (see also related upper bounds on q-DHI hardness given by Jung Hee Cheon [11]), the domain of this PRF is polynomially-sized, but this restriction does not stop any of the OPRF applications we listed above....
[...]
References
More filters
Book•
01 Jan 1996TL;DR: A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols.
Abstract: From the Publisher:
A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols; more than 200 tables and figures; more than 1,000 numbered definitions, facts, examples, notes, and remarks; and over 1,250 significant references, including brief comments on each paper.
13,597 citations
"Security analysis of the strong dif..." refers methods in this paper
...which is large enough [ MOV , p.162], we can easily take a generator of Z p. Let 0 be a generator of Z p. Then we compute = d 0 that is an element of order (p 1)/d in Z p....
[...]
23 Aug 1985
TL;DR: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem that relies on the difficulty of computing discrete logarithms over finite fields.
Abstract: A new signature scheme is proposed, together with an implementation of the Diffie-Hellman key distribution scheme that achieves a public key cryptosystem. The security of both systems relies on the difficulty of computing discrete logarithms over finite fields.
7,514 citations
15 Aug 2004
TL;DR: In this article, the authors proposed a group signature scheme based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption.
Abstract: We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption. We prove security of our system, in the random oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi.
1,956 citations
02 May 2004
TL;DR: The first secure IBE scheme without random oracles was presented in this article, where the adversary must commit ahead of time to the identity that it intends to attack, whereas in the standard model the adversary is allowed to choose this identity adaptively.
Abstract: We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to the identity that it intends to attack, whereas in the standard model the adversary is allowed to choose this identity adaptively. Our first secure IBE system extends to give a selective identity Hierarchical IBE secure without random oracles.
1,917 citations
IBM1
TL;DR: Lower bounds on the complexity of the discrete logarithm and related problems are proved that match the known upper bounds: any generic algorithm must perform Ω(p1/2) group operations, where p is the largest prime dividing the order of the group.
Abstract: This paper considers the computational complexity of the discrete logarithm and related problems in the context of "generic algorithms"--that is, algorithms which do not exploit any special properties of the encodings of group elements, other than the property that each group element is encoded as a unique binary string. Lower bounds on the complexity of these problems are proved that match the known upper bounds: any generic algorithm must perform Ω(p1/2) group operations, where p is the largest prime dividing the order of the group. Also, a new method for correcting a faulty Diffie-Hellman oracle is presented.
1,341 citations