DDH-like Assumptions Based on Extension Rings

We introduce and study a new type of DDH-like assumptions based on groups of prime order q . Whereas standard DDH is based on encoding elements of $\mathbb{F}_{q}$ "in the exponent" of elements in the group, we ask what happens if instead we put in the exponent elements of the extension ring $R_f= \mathbb{F}_{q}[X]/(f)$ where f is a degree-d polynomial. The decision problem that follows naturally reduces to the case where f is irreducible. This variant is called the d -DDH problem, where 1-DDH is standard DDH. We show in the generic group model that d -DDH is harder than DDH for d >1 and that we obtain, in fact, an infinite hierarchy of progressively weaker assumptions whose complexities lie "between" DDH and CDH. This leads to a large number of new schemes because virtually all known DDH-based constructions can very easily be upgraded to be based on d -DDH. We use the same construction and security proof but get better security and moreover, the amortized complexity (e.g, computation per encrypted bit) is the same as when using DDH. We also show that d -DDH, just like DDH, is easy in bilinear groups. We therefore suggest a different type of assumption, the d -vector DDH problems (d -VDDH), which are based on f (X )=X d , but with a twist to avoid problems with reducible polynomials. We show in the generic group model that d -VDDH is hard in bilinear groups and that the problems become harder with increasing d . We show that hardness of d -VDDH implies CCA-secure encryption, efficient Naor-Reingold style pseudorandom functions, and auxiliary input secure encryption. This can be seen as an alternative to the known family of k -LIN assumptions.

[1]  Rafail Ostrovsky,et al.  Circular-Secure Encryption from Decision Diffie-Hellman , 2008, CRYPTO.

[2]  Dan Boneh,et al.  Algebraic pseudorandom functions with improved efficiency from the augmented cascade , 2010, CCS '10.

[3]  Eike Kiltz,et al.  Chosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman , 2007, Public Key Cryptography.

[4]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[5]  Eike Kiltz,et al.  Secure Hybrid Encryption from Weakened Key Encapsulation , 2007, CRYPTO.

[6]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[7]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004, JACM.

[8]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[9]  Nicholas Pippenger,et al.  On the evaluation of powers and related problems , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[10]  Yevgeniy Dodis,et al.  A Verifiable Random Function with Short Proofs and Keys , 2005, Public Key Cryptography.

[11]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[12]  Jacob T. Schwartz,et al.  Fast Probabilistic Algorithms for Verification of Polynomial Identities , 1980, J. ACM.

[13]  Richard Zippel,et al.  Probabilistic algorithms for sparse polynomials , 1979, EUROSAM.

[14]  Guozhen Xiao,et al.  Generalized ElGamal Public Key Cryptosystem Based on a New Diffie-Hellman Problem , 2008, ProvSec.

[15]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[16]  Yael Tauman Kalai,et al.  Public-Key Encryption Schemes with Auxiliary Inputs , 2010, TCC.

[17]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[18]  Markus Stadler,et al.  Publicly Verifiable Secret Sharing , 1996, EUROCRYPT.

[19]  Hovav Shacham,et al.  A Cramer-Shoup Encryption Scheme from the Linear Assumption and from Progressively Weaker Linear Variants , 2007, IACR Cryptol. ePrint Arch..