The Hardness of the DHK Problem in the Generic Group Model

In this note we prove that the controversial Diffie-Hellman Knowledge problem is secure in the generic group model. This appears to be the first paper that presents any evidence as to whether the DiffieHellman Knowledge problem is true or false, although a similar result was developed independently and in parallel by Abe and Fehr [1]. 1 The Generic Group Model It is clear that the way in which we represent a group to a polynomial-time algorithm affects the computational power of that algorithm. For example, the computational Diffie-Hellman problem is (almost) always presented as a problem on a representation of the group Cp, where p is a large prime number. However, it is clear that the difficulty of solving the Diffie-Hellman problem depends on the way the group Cp is represented: if Cp is presented as additive arithmetic modulo p then the Diffie-Hellman problems is easy, whereas if Cp is presented as the order p subgroup of the multiplicative group of a finite field or of an elliptic curve group then we believe the Diffie-Hellman problem is hard to solve. The generic group model is a theoretical model that aims to analyse the success of algorithms against groups whose representations reveal no information to the attacker. There are various attempts to formalise the idea of a generic group [2, 12, 15, 17]. The most popular (and intuitively obvious) of these is that provided by Shoup [17]. In this model, the attacker is not given direct access to group elements, but to the images of group elements under the the action of a random one-to-one mapping σ : G → {0, 1}k. Group operations can be computed by the algorithm by way of a series of oracles. The attacker is given access to addition oracle ADD and an inversion oracle INV such that ADD(σ(x), σ(y)) = σ(x + y) and INV (σ(x)) = σ(−x) (1) It is clear that in this situation, the attacker can gain no advantage in solving a computational problem from the representation σ(x) of the group element x. The model has been used to provide evidence as to the hardness of several computational problems [6, 13, 17, 18]. However, we remind the reader that the generic group model can only ever be used to provide evidence as to the hardness of the problem, not to provide any kind of proof. This is because (1) it does not tell us anything the difficulty of a problem in any one particular group representation, and (2) it has been shown that there exists problems that are provably difficult in the generic group model and yet insecure when this problem is instantiated on any particular group representation [8]. Nevertheless, the generic group model has been used to justify the use of several new assumptions recently, particular in situations where authors wish to prove the security of cryptosystems without using the random oracle model. In the next section, when we consider the Diffie-Hellman Knowledge (DHK) assumption, one valid strategy that the attacker might be able to employ is to pick group elements at random (i.e. in such a way that the attacker does not know their discrete logarithm with respect to any base). This ability is not usually considered in the generic group model. We model this ability by setting k = dlog |G|e. The attacker may now generate random group elements by choosing random strings σ ∈ {0, 1}k: these will be a representation of some group element with probability at least 1/2. If a random σ is the representation of some new group element, then it will be the representation of a random group element whose image under σ has not already been computed. It may be assumed that the addition and inversion oracles return an error message when queried with a bitstring σ / ∈ Im σ. If we wish to consider groups for which it is impossible to pick random group elements, then we should take k A log |G|. It should be noted that all of known results on the difficulty of solving computational problems in the generic group model remain true when the attacker is allowed to sample group elements at random. 2 The Diffie-Hellman Knowledge (DHK) Assumption In this section we will consider the difficulty of the Diffie-Hellman Knowledge (DHK) problem in the generic group model. Definition 1. Let λ be a security parameter and σ be a representation of the cyclic group Z/nZ where n contains a prime factor p of bit-length λ. Let A be any algorithm (attacker) that takes the group elements (σ(1), σ(x)) as input, where x is chosen at random from {1, 2, . . . , n}, and outputs bitstrings (B, C) ∈ {0, 1}k × {0, 1}k. The Diffie-Hellman Knowledge (DHK) assumption states that for each polynomial-time attacker A, there exists a polynomial-time extractor A∗ that takes as input the group elements (σ(1), σ(x), B, C) and the random coins R[A] used by A, and outputs an element r ∈ {1, 2, . . . , n} such that B = σ(r) and C = σ(xr) (if such an r exists). 1 An alternative solution would be to provide the attacker with access to an oracle that randomly generates group elements. This has the advantage that the attacker can always generate a random group element with probability one. Since our analysis will assume that every new bitstring σ ∈ {0, 1} that the attacker produces is the encoding of some group element, our results will hold regardless of how we define the attacker’s ability to sample group elements. The DHK assumption is designed to capture the notion that it is impossible to create a Diffie-Hellman tuple (σ(1), σ(x), σ(r), σ(xr)) from (σ(1), σ(x)) without knowing r. This is a very strong assumption that, despite being used in several high-profile papers [4, 5, 7, 9–11], has been heavily criticised. Opponents of the assumption have pointed out that it is not efficiently falsifiable [14] and so any proof that it is false must be complex and as difficult to check as a proof that it is true. In particular, experimental evidence cannot be used to check whether this assumption is false or true. We have presented the ‘standard model’ version of the DHK problem. We will actually show that, in the generic group model, there exists a single extractor A∗ that can recover the value r produced by any polynomial-time attacker A when given the oracle queries that A used to produce its output. This is clearly sufficient to show that the DHK assumption is true for a generic group. It can be noted that the difference between the ‘standard model’ version of the DHK assumption and this ‘generic group’ version of the DHK assumption is similar to the difference between plaintext awareness in the random oracle model [3] and in the standard model [5]. This result is important because it is the first piece of evidence presented that suggests whether the DHK assumption is true or false. The proof is comparatively simple, and uses techniques suggested by Shoup [17]. It relies on the following crucial lemma [16, 17]. Lemma 1. Let F (x1, x2, . . . , xm) be a polynomial of total degree d ≥ 1. Then the probability that F (x1, x2, . . . , xm) = 0 mod n for randomly chosen values (x1, x2, . . . , xm) in Z/nZ is bounded above by d/p where p is the largest prime dividing n. Theorem 1. The DHK assumption holds in a generic group. Proof The extractor A∗ keeps track of the oracle queries of A as monomials. We set F0 = 1 and F1 = X — these represent the group elements σ(1) and σ(x). If A makes an oracle query using a bitstring σi that has not been an input or output by the addition or inversion oracles, then we assign a new variable Zi to the group element σi. The result of applying the addition oracle on the group elements σi and σj (represented by monomials Fi and Fj) is a new group element σl represented by the monomial Fl = Fi +Fj . The result of applying the inversion oracle to a group element σi (represented by monomial Fi) is a group element σl represented by the monomial −Fi. We may think of these monomials as representing the group because each element σi can be thought of as σ(Fi(x, z1, z2, . . . , zm)). This representation is completely consistent unless the attacker computes two group elements σi = σj such that Fi 6= Fj . Note that in this case we must have Fi(x, z1, z2, . . . , zm) = Fj(x, z1, z2, . . . , zm) for the randomly chosen values (x, z1, z2, . . . , zm). This occurs with probability at most O(1/p). Hence, the probability that the monomial representation is not consistent with the representation given by σ is bounded by O(m/p), which is negligible as a function of the security parameter. A eventually terminates and outputs two group elements (σi, σj) which A∗ represents as monomials (Fi, Fj). If Fi = r and Fj = rX for some value of r, then A∗ outputs r. Otherwise A∗ outputs ⊥ — that the tuple is not a Diffie-Hellman tuple. If (σ(1), σ(x), σi, σj) is a Diffie-Hellman tuple, then x · Fi(x, z1, z2, . . . , zm) = Fj(x, z1, z2, . . . , zm) ⇐⇒ x · Fi(x, z1, z2, . . . , zm)− Fj(x, z1, z2, . . . , zm) = 0 . This can occur because X · Fi = Fj (in which case Fi = r and Fj = rX, and the extractor A∗ returns the correct value r), or because X · Fi 6= Fj but the equation holds for the particular random values (x, z1, z2, . . . , zm) used (in which case the extractor fails). However, this latter event occurs with probability at most 2/p. Hence, the extractor works with non-negligible probability. ut It should be noted that a similar result was developed independently (and concurrently) by Abe and Fehr [1]. Acknowledgements Thanks to Paul Crowley and Martijn Stam for pointing out grammatical errors, and to Serge Fehr for pointing out the similarities between this note and his own work.

[1]  Ueli Maurer,et al.  Lower Bounds on Generic Algorithms in Groups , 1998, EUROCRYPT.

[2]  Moni Naor,et al.  On Cryptographic Assumptions and Challenges , 2003, CRYPTO.

[3]  Endre Szemerédi,et al.  On the Complexity of Matrix Group Problems I , 1984, FOCS.

[4]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[5]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[6]  Toshiaki Tanaka,et al.  On the Existence of 3-Round Zero-Knowledge Protocols , 1998, CRYPTO.

[7]  Mihir Bellare,et al.  Towards Plaintext-Aware Public-Key Encryption Without Random Oracles , 2004, ASIACRYPT.

[8]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[9]  Nigel P. Smart The Exact Security of ECIES in the Generic Group Model , 2001, IMACC.

[10]  V. Nechaev Complexity of a determinate algorithm for the discrete logarithm , 1994 .

[11]  Alexander W. Dent,et al.  Adapting the Weaknesses of the Random Oracle Model to the Generic Group Model , 2002, ASIACRYPT.

[12]  Alexander W. Dent,et al.  The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model , 2006, IACR Cryptol. ePrint Arch..

[13]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[14]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[15]  Ueli Maurer,et al.  Abstract Models of Computation in Cryptography , 2005, IMACC.

[16]  Jacob T. Schwartz,et al.  Fast Probabilistic Algorithms for Verification of Polynomial Identities , 1980, J. ACM.

[17]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.