A Note on Security Proofs in the Generic Model

A discrete-logarithm algorithm is called generic if it does not exploit the specific representation of the cyclic group for which it is supposed to compute discrete logarithms. Such algorithms include the well-known Baby-Step-Giant-Step procedure as well as the Pohlig-Hellman algorithm. In particular, these algorithms match a lower bound of Nachaev showing that generic discrete-log algorithms require exponentially many group operations. Building on this lower bound, Shoup and subsequently Schnorr and Jakobsson proved other discrete-log-based protocols to be intractable in the generic model. Here, we discuss pitfalls when applying the generic model to other schemes than the discrete-log problem and when interpreting such lower bounds as security proofs for these schemes.

[1]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[2]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[3]  J. Silverman "Elliptic curve discrete logarithms and index calculus," ASIACRYPT'98 , 1998 .

[4]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[5]  Silvio Micali,et al.  Non-Interactive Oblivious Transfer and Spplications , 1989, CRYPTO.

[6]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[7]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[8]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[9]  Mihir Bellare,et al.  DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem , 1999, IACR Cryptol. ePrint Arch..

[10]  Markus Jakobsson,et al.  A Practical Mix , 1998, EUROCRYPT.

[11]  Rafail Ostrovsky,et al.  Minimum resource zero knowledge proofs , 1989, 30th Annual Symposium on Foundations of Computer Science.

[12]  Yiannis Tsiounis,et al.  On the Security of ElGamal Based Encryption , 1998, Public Key Cryptography.

[13]  Toshiaki Tanaka,et al.  On the Existence of 3-Round Zero-Knowledge Protocols , 1998, CRYPTO.

[14]  Markus Jakobsson,et al.  Security of Signed ElGamal Encryption , 2000, ASIACRYPT.

[15]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[16]  V. Nechaev Complexity of a determinate algorithm for the discrete logarithm , 1994 .

[17]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[18]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[19]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[20]  Oded Goldreich,et al.  Foundations of Cryptography (Fragments of a Book) , 1995 .

[21]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[22]  R. Peralta On the distribution of quadratic residues and nonresidues modulo a prime number , 1992 .

[23]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[24]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[25]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[26]  Joe Suzuki,et al.  Elliptic Curve Discrete Logarithms and the Index Calculus , 1998, ASIACRYPT.

[27]  A. DeSantis,et al.  Zero-knowledge arguments and public-key cryptography , 1995 .