[Cfrg] On Strong DH
Watson Ladd <watsonbladd@gmail.com> Tue, 06 May 2014 22:18 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 659E31A063B for <cfrg@ietfa.amsl.com>; Tue, 6 May 2014 15:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QpZJ5TW20vYZ for <cfrg@ietfa.amsl.com>; Tue, 6 May 2014 15:18:23 -0700 (PDT)
Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 2BF871A0601 for <cfrg@irtf.org>; Tue, 6 May 2014 15:18:23 -0700 (PDT)
Received: by mail-yk0-f171.google.com with SMTP id 142so130389ykq.2 for <cfrg@irtf.org>; Tue, 06 May 2014 15:18:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=wnn57wUgOXtl6wYHadrwdBWaovaLmbyZETTn4dKrk8Y=; b=hkgxkbrpIcARxdM5y61LXxDIg9ONpckSKNjPKihiIqAkRGptb6ZSvGNx0+Odwdaqjq 5K2tg4N9OtrTliS4wCrwTUJ9PBl5KUpZqkxXojE/szFrnjv28ncsPz1OWo0TpshCQobM hEnVqHsiL7rmduiSAbJsG2agl/KshgTM5J6g2IOhRtZxoSGescMU4Achh1LBlPL3gW7y tMMD4Pc4+hOuAuefu/iV24ND6z3kPAwqIIbJbUTMj1DqDvS9JJC7s/LYSqRuAkhCexL+ CJTRNgx3rc+nEkaSRiZCdM6fHHG/2a9wm2fHsyEgs5OkNpHdPvXoAyROf0HOGfo/U7xp R06w==
MIME-Version: 1.0
X-Received: by 10.236.120.66 with SMTP id o42mr62986336yhh.66.1399414699075; Tue, 06 May 2014 15:18:19 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Tue, 6 May 2014 15:18:19 -0700 (PDT)
Date: Tue, 06 May 2014 15:18:19 -0700
Message-ID: <CACsn0ckeFHeyg0vq+4MWwATPO-nBfN2E8BYMqocTOv7Sy=7shw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/7I0NBemclBzaZRBAxl7fokvWcnI
Subject: [Cfrg] On Strong DH
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 22:18:24 -0000
Dear all, My slides mentioned a reduction to the DDH. It's actually a reduction to what has been called the strong DH assumption in some papers and books, namely that calculating g^(ab) given g^a, g^b, and g is hard even when you can check if your answer is correct. (It's this last subtlety that I forgot about) This is not the strong DH assumption as defined in the paper of Cheon! That strong DH assumption is used in pairing based cryptography, and assumes g^(ab) is hard to compute given an an oracle that calculates it unless you feed the oracle g^b. Usually this is called the q-SDH, or l-SDH, where l or q is the number of oracle queries allowed. It generally shows up in the context of pairing based cryptography. Strong DH (not the q-version), like CDH, is commonly believed as hard as discrete log. Anyone with papers showing otherwise, please let us know. I don't know of a reduction to CDH, although Gap DH, stronger than Strong DH, appears true. Sincerely, Watson Ladd
- [Cfrg] On Strong DH Watson Ladd