Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Decisional Diffie–Hellman assumption
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
The '''decisional Diffie–Hellman (DDH) assumption''' is a [[computational hardness assumption]] about a certain problem involving [[discrete logarithm]]s in [[cyclic group]]s. It is used as the basis to prove the security of many [[cryptography|cryptographic]] protocols, most notably the [[ElGamal encryption|ElGamal]] and [[Cramer–Shoup cryptosystem]]s. ==Definition== Consider a (multiplicative) [[cyclic group]] <math>G</math> of order <math>q</math>, and with [[Generating set of a group|generator]] <math>g</math>. The DDH assumption states that, given <math>g^a</math> and <math>g^b</math> for uniformly and independently chosen <math>a,b \in \mathbb{Z}_q</math>, the value <math>g^{ab}</math> "looks like" a random element in <math>G</math>. This intuitive notion can be formally stated by saying that the following two probability distributions are [[computationally indistinguishable]] (in the [[security parameter]], <math>n=\log(q)</math>): * <math>(g^a,g^b,g^{ab})</math>, where <math>a</math> and <math>b</math> are randomly and independently chosen from <math>\mathbb{Z}_q</math>. * <math>(g^a,g^b,g^c)</math>, where <math>a,b,c</math> are randomly and independently chosen from <math>\mathbb{Z}_q</math>. Triples of the first kind are often called '''DDH triplet''' or '''DDH tuples'''. ==Relation to other assumptions== The DDH assumption is related to the [[discrete logarithm|discrete log assumption]]. If it were possible to efficiently compute discrete logs in <math>G</math>, then the DDH assumption would not hold in <math>G</math>. Given <math>(g^a,g^b,z)</math>, one could efficiently decide whether <math>z=g^{ab}</math> by first taking the discrete <math>\log_g</math> of <math>g^a</math>, and then comparing <math>z</math> with <math>(g^b)^a</math>. DDH is considered to be a '''stronger''' assumption than the discrete logarithm assumption, because there are groups for which computing discrete logs is believed to be hard (and thus the DL Assumption is believed to be true), but detecting DDH tuples is easy (and thus DDH is false). Because of this, requiring that the DDH assumption holds in a group is believed to be a more restrictive requirement than DL. The DDH assumption is also related to the [[computational Diffie–Hellman assumption]] (CDH). If it were possible to efficiently compute <math>g^{ab}</math> from <math>(g^a,g^b)</math>, then one could easily distinguish the two probability distributions above. DDH is considered to be a stronger assumption than CDH because if CDH is solved, which means we can get <math>g^{ab}</math>, the answer to DDH will become obvious. ==Other properties== The problem of detecting DDH tuples is [[random self-reducibility|random self-reducible]], meaning, roughly, that if it is hard for even a small fraction of inputs, it is hard for almost all inputs; if it is easy for even a small fraction of inputs, it is easy for almost all inputs. ==Groups for which DDH is assumed to hold== <!-- using {{disputed}} instead of {{disputed-section}} otherwise the talk page link is missing {{disputed|Incorrect claims|date=July 2013}} --> When using a cryptographic protocol whose security depends on the DDH assumption, it is important that the protocol is implemented using groups where DDH is believed to hold: * The subgroup <math>\mathbb{G}_q</math> of <math>k</math>-th residues modulo a prime <math>p=kq+1</math>, where <math>q</math> is also a large prime (also called a [[Schnorr group]]). For the case of <math>k=2</math>, this corresponds to the group of [[quadratic residue]]s modulo a [[safe prime]]. * The [[quotient group]] <math>\mathbb{Z}^*_p/\{1,-1\}</math> for a [[safe prime]] <math>p=2q+1</math>, which consists of the [[cosets]] <math>\{\{1,-1\},\ldots\{q,-q\}\}</math>. These cosets <math>\{x,-x\}</math> can be represented by <math>x</math>, which implies <math>\mathbb{Z}^*_p/\{1,-1\}\equiv\{1,\ldots,q\}</math>. Since <math>\mathbb{Z}^*_p/\{1,-1\}</math> and <math>\mathbb{G}_q</math> are isomorphic, and the [[isomorphism]] can be computed efficiently in both direction, DDH is equally hard in both groups. * A prime-order [[elliptic curve]] <math>E</math> over the [[field (mathematics)|field]] <math>GF(p)</math>, where <math>p</math> is prime, provided <math>E</math> has large embedding degree. * A [[Jacobian variety|Jacobian]] of a [[hyper-elliptic curve]] over the [[field (mathematics)|field]] <math>GF(p)</math> with a prime number of reduced divisors, where <math>p</math> is prime, provided the Jacobian has large embedding degree. Importantly, the DDH assumption '''does not hold''' in the multiplicative group <math>\mathbb{Z}^*_p</math>, where <math>p</math> is prime. This is because if <math>g</math> is a generator of <math>\mathbb{Z}^*_p</math>, then the [[Legendre symbol]] of <math>g^a</math> reveals if <math>a</math> is even or odd. Given <math>g^a</math>, <math>g^b</math> and <math>g^{ab}</math>, one can thus efficiently compute and compare the least significant bit of <math>a</math>, <math>b</math> and <math>ab</math>, respectively, which provides a probabilistic method to distinguish <math>g^{ab}</math> from a random group element. The DDH assumption does not hold on elliptic curves over <math>GF(p)</math> with small embedding degree (say, less than <math>\log^2(p)</math>), a class which includes [[supersingular elliptic curve]]s. This is because the [[Weil pairing]] or [[Tate pairing]] can be used to solve the problem directly as follows: given <math>P,aP,bP,cP</math> on such a curve, one can compute <math>e(P,cP)</math> and <math>e(aP,bP)</math>. By the bilinearity of the pairings, the two expressions are equal if and only if <math>ab=c</math> modulo the order of <math>P</math>. If the embedding degree is large (say around the size of <math>p</math>) then the DDH assumption will still hold because the pairing cannot be computed. Even if the embedding degree is small, there are some subgroups of the curve in which the DDH assumption is believed to hold. ==See also== * [[Diffie–Hellman problem]] * [[Diffie–Hellman key exchange]] * [[Computational hardness assumptions]] * [[XDH assumption]] * [[Decisional Linear assumption]] ==References== * {{cite book |authorlink=Dan Boneh |first=Dan |last=Boneh |chapter=The Decision Diffie-Hellman problem |title=Proceedings of the Third Algorithmic Number Theory Symposium |series=Lecture Notes in Computer Science |volume=1423 |pages=48–63 |year=1998 |doi=10.1007/BFb0054851 |isbn=978-3-540-64657-0 |citeseerx=10.1.1.461.9971 }} {{Cryptography navbox | public-key}} {{Computational hardness assumptions}} {{DEFAULTSORT:Decisional Diffie-Hellman assumption}} [[Category:Computational hardness assumptions]] [[Category:Elliptic curve cryptography]]
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)
Pages transcluded onto the current version of this page
(
help
)
:
Template:Cite book
(
edit
)
Template:Computational hardness assumptions
(
edit
)
Template:Cryptography navbox
(
edit
)