fbpx
Wikipedia

XDH assumption

November 24, 2023

The external Diffie–Hellman (XDH) assumption is a computational hardness assumption used in elliptic curve cryptography. The XDH assumption holds that there exist certain subgroups of elliptic curves which have useful properties for cryptography. Specifically, XDH implies the existence of two distinct groups with the following properties:

  1. The discrete logarithm problem (DLP), the computational Diffie–Hellman problem (CDH), and the computational co-Diffie–Hellman problem are all intractable in and .
  2. There exists an efficiently computable bilinear map (pairing) .
  3. The decisional Diffie–Hellman problem (DDH) is intractable in .

The above formulation is referred to as asymmetric XDH. A stronger version of the assumption (symmetric XDH, or SXDH) holds if DDH is also intractable in .

The XDH assumption is used in some pairing-based cryptographic protocols. In certain elliptic curve subgroups, the existence of an efficiently-computable bilinear map (pairing) can allow for practical solutions to the DDH problem. These groups, referred to as gap Diffie–Hellman (GDH) groups, facilitate a variety of novel cryptographic protocols, including tri-partite key exchange, identity based encryption, and secret handshakes (to name a few). However, the ease of computing DDH within a GDH group can also be an obstacle when constructing cryptosystems; for example, it is not possible to use DDH-based cryptosystems such as ElGamal within a GDH group. Because the DDH assumption holds within at least one of a pair of XDH groups, these groups can be used to construct pairing-based protocols which allow for ElGamal-style encryption and other novel cryptographic techniques.

In practice, it is believed that the XDH assumption may hold in certain subgroups of MNT elliptic curves. This notion was first proposed by Scott (2002), and later by Boneh, Boyen and Shacham (2002) as a means to improve the efficiency of a signature scheme. The assumption was formally defined by Ballard, Green, de Medeiros and Monrose (2005), and full details of a proposed implementation were advanced in that work. Evidence for the validity of this assumption is the proof by Verheul (2001) and Galbraith and Rotger (2004) of the non-existence of distortion maps in two specific elliptic curve subgroups which possess an efficiently computable pairing. As pairings and distortion maps are currently the only known means to solve the DDH problem in elliptic curve groups, it is believed that the DDH assumption therefore holds in these subgroups, while pairings are still feasible between elements in distinct groups.

References edit

  1. Mike Scott. Authenticated ID-based exchange and remote log-in with simple token and PIN. E-print archive (2002/164), 2002. (pdf file)
  2. Dan Boneh, Xavier Boyen, Hovav Shacham. Short Group Signatures. CRYPTO 2004. (pdf file)
  3. Lucas Ballard, Matthew Green, Breno de Medeiros, Fabian Monrose. Correlation-Resistant Storage via Keyword-Searchable Encryption. E-print archive (2005/417), 2005. (pdf file)
  4. Steven D Galbraith, Victor Rotger. Easy Decision Diffie–Hellman Groups. LMS Journal of Computation and Mathematics, August 2004. ([1])
  5. E.R. Verheul, Evidence that XTR is more secure than supersingular elliptic curve cryptosystems, in B. Pfitzmann (ed.) EUROCRYPT 2001, Springer LNCS 2045 (2001) 195–210. [2]

November 24, 2023
assumption, external, diffie, hellman, assumption, computational, hardness, assumption, used, elliptic, curve, cryptography, holds, that, there, exist, certain, subgroups, elliptic, curves, which, have, useful, properties, cryptography, specifically, implies, . The external Diffie Hellman XDH assumption is a computational hardness assumption used in elliptic curve cryptography The XDH assumption holds that there exist certain subgroups of elliptic curves which have useful properties for cryptography Specifically XDH implies the existence of two distinct groups G 1 G 2 displaystyle langle mathbb G 1 mathbb G 2 rangle with the following properties The discrete logarithm problem DLP the computational Diffie Hellman problem CDH and the computational co Diffie Hellman problem are all intractable in G 1 displaystyle mathbb G 1 and G 2 displaystyle mathbb G 2 There exists an efficiently computable bilinear map pairing e G 1 G 2 G T displaystyle e cdot cdot mathbb G 1 times mathbb G 2 rightarrow mathbb G T The decisional Diffie Hellman problem DDH is intractable in G 1 displaystyle mathbb G 1 The above formulation is referred to as asymmetric XDH A stronger version of the assumption symmetric XDH or SXDH holds if DDH is also intractable in G 2 displaystyle mathbb G 2 The XDH assumption is used in some pairing based cryptographic protocols In certain elliptic curve subgroups the existence of an efficiently computable bilinear map pairing can allow for practical solutions to the DDH problem These groups referred to as gap Diffie Hellman GDH groups facilitate a variety of novel cryptographic protocols including tri partite key exchange identity based encryption and secret handshakes to name a few However the ease of computing DDH within a GDH group can also be an obstacle when constructing cryptosystems for example it is not possible to use DDH based cryptosystems such as ElGamal within a GDH group Because the DDH assumption holds within at least one of a pair of XDH groups these groups can be used to construct pairing based protocols which allow for ElGamal style encryption and other novel cryptographic techniques In practice it is believed that the XDH assumption may hold in certain subgroups of MNT elliptic curves This notion was first proposed by Scott 2002 and later by Boneh Boyen and Shacham 2002 as a means to improve the efficiency of a signature scheme The assumption was formally defined by Ballard Green de Medeiros and Monrose 2005 and full details of a proposed implementation were advanced in that work Evidence for the validity of this assumption is the proof by Verheul 2001 and Galbraith and Rotger 2004 of the non existence of distortion maps in two specific elliptic curve subgroups which possess an efficiently computable pairing As pairings and distortion maps are currently the only known means to solve the DDH problem in elliptic curve groups it is believed that the DDH assumption therefore holds in these subgroups while pairings are still feasible between elements in distinct groups References editMike Scott Authenticated ID based exchange and remote log in with simple token and PIN E print archive 2002 164 2002 pdf file Dan Boneh Xavier Boyen Hovav Shacham Short Group Signatures CRYPTO 2004 pdf file Lucas Ballard Matthew Green Breno de Medeiros Fabian Monrose Correlation Resistant Storage via Keyword Searchable Encryption E print archive 2005 417 2005 pdf file Steven D Galbraith Victor Rotger Easy Decision Diffie Hellman Groups LMS Journal of Computation and Mathematics August 2004 1 E R Verheul Evidence that XTR is more secure than supersingular elliptic curve cryptosystems in B Pfitzmann ed EUROCRYPT 2001 Springer LNCS 2045 2001 195 210 2 Retrieved from https en wikipedia org w index php title XDH assumption amp oldid 1162353957, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.