A Classification of Computational Assumptions in the Algebraic Group - - PowerPoint PPT Presentation

1

A Classification of Computational Assumptions in the Algebraic Group Model

Balthazar Bauer, Georg Fuchsbauer, Julian Loss August 11, 2020

2

• 1. The Algebraic Group Model (FKL 2018)
• 2. Classification
• 3. Separation

3

• 1. The Algebraic Group Model (FKL 2018)
• 2. Classification
• 3. Separation

4

From GGM to AGM

◮ Let G be a cyclic group of prime order p.

4

From GGM to AGM

◮ Let G be a cyclic group of prime order p. Standard Model C (Z1, Z2, Z3) b (, ♥) + ♥ (♠, (a1, a2, a3)) such that ♠ = a1 + a2♥ + a3⋆

4

From GGM to AGM

◮ Let G be a cyclic group of prime order p. Standard Model C (Z1, Z2, Z3) Y b (, ♥) + ♥ (♠, (a1, a2, a3)) such that ♠ = a1 + a2♥ + a3⋆

5

From GGM to AGM

◮ Let G be a cyclic group of prime order p. Generic Group Model C (, ♥, ⋆) ♠ ♠ = a1 + a2♥ + a3⋆ (♠, (a1, a2, a3)) such that ♠ = a1 + a2♥ + a3⋆

5

From GGM to AGM

◮ Let G be a cyclic group of prime order p. Generic Group Model C (, ♥, ⋆) ♠ ♠ = a1 + a2♥ + a3⋆ (, ♥) (♠, (a1, a2, a3)) such that ♠ = a1 + a2♥ + a3⋆

5

From GGM to AGM

◮ Let G be a cyclic group of prime order p. Generic Group Model C (, ♥, ⋆) ♠ ♠ = a1 + a2♥ + a3⋆ (, ♥) ♣ = + ♥ (♠, (a1, a2, a3)) such that ♠ = a1 + a2♥ + a3⋆

5

From GGM to AGM

◮ Let G be a cyclic group of prime order p. Generic Group Model C (, ♥, ⋆) ♠ ♠ = a1 + a2♥ + a3⋆ ♠ = a1 + a2♥ + a3⋆ (, ♥) ♣ = + ♥ (♠, (a1, a2, a3)) such that ♠ = a1 + a2♥ + a3⋆

6

From GGM to AGM

◮ Let G be a cyclic group of prime order p. Generic Group Model (modified) C (, ♥, ⋆) (♠, (a1, a2, a3)) such that ♠ = a1 + a2♥ + a3⋆ (, ♥) ♣ = + ♥ ♠ = a1 + a2♥ + a3⋆

7

From GGM to AGM

◮ Let G be a cyclic group of prime order p. Algebraic Group Model C (Z1, Z2, Z3) (Y, (a1, a2, a3)) such that Y = a1Z1 + a2Z2 + a3Z3 b (, ♥) + ♥ Y = a1Z1 + a2Z2 + a3Z3

8

Standard vs Algebraic

◮ No reduction from DLog to CDH in the standard model.

8

Standard vs Algebraic

◮ No reduction from DLog to CDH in the standard model. ◮ Let A be an algebraic algorithm which solves CDH.

8

Standard vs Algebraic

◮ No reduction from DLog to CDH in the standard model. ◮ Let A be an algebraic algorithm which solves CDH. ◮ B(G, X):

8

Standard vs Algebraic

◮ No reduction from DLog to CDH in the standard model. ◮ Let A be an algebraic algorithm which solves CDH. ◮ B(G, X):

◮ v

$

← − Z∗

p

8

Standard vs Algebraic

◮ No reduction from DLog to CDH in the standard model. ◮ Let A be an algebraic algorithm which solves CDH. ◮ B(G, X):

◮ v

$

← − Z∗

p

◮ (Y, ℓ1, ℓ2, ℓ3) ← A(G, X, X + vG)

8

Standard vs Algebraic

◮ No reduction from DLog to CDH in the standard model. ◮ Let A be an algebraic algorithm which solves CDH. ◮ B(G, X):

◮ v

$

← − Z∗

p

◮ (Y, ℓ1, ℓ2, ℓ3) ← A(G, X, X + vG) (ℓ1G + ℓ2X + ℓ3(X + vG) = Y)

8

Standard vs Algebraic

◮ No reduction from DLog to CDH in the standard model. ◮ Let A be an algebraic algorithm which solves CDH. ◮ B(G, X):

◮ v

$

← − Z∗

p

◮ (Y, ℓ1, ℓ2, ℓ3) ← A(G, X, X + vG) (ℓ1G + ℓ2X + ℓ3(X + vG) = Y) ◮ {x∗

1 , x∗ 2} ← Solve (ℓ1 + ℓ2X + ℓ3(X + v)) ≡ X(X + v) (mod p)

8

Standard vs Algebraic

◮ No reduction from DLog to CDH in the standard model. ◮ Let A be an algebraic algorithm which solves CDH. ◮ B(G, X):

◮ v

$

← − Z∗

p

◮ (Y, ℓ1, ℓ2, ℓ3) ← A(G, X, X + vG) (ℓ1G + ℓ2X + ℓ3(X + vG) = Y) ◮ {x∗

1 , x∗ 2} ← Solve (ℓ1 + ℓ2X + ℓ3(X + v)) ≡ X(X + v) (mod p)

◮ Output x∗

i such that X = x∗ i G

8

Standard vs Algebraic

◮ No reduction from DLog to CDH in the standard model. ◮ Let A be an algebraic algorithm which solves CDH. ◮ B(G, X):

◮ v

$

← − Z∗

p

◮ (Y, ℓ1, ℓ2, ℓ3) ← A(G, X, X + vG) (ℓ1G + ℓ2X + ℓ3(X + vG) = Y) ◮ {x∗

1 , x∗ 2} ← Solve (ℓ1 + ℓ2X + ℓ3(X + v)) ≡ X(X + v) (mod p)

◮ Output x∗

i such that X = x∗ i G

◮ Conclusion: AGM enables new security reductions

9

q-Diffie-Hellman Exponent

◮ Let G be a cyclic group of prime order p.

9

q-Diffie-Hellman Exponent

◮ Let G be a cyclic group of prime order p. x

$

← − Zp;         G xG x2G · · xqG         → → xq+1G

9

q-Diffie-Hellman Exponent

◮ Let G be a cyclic group of prime order p. x

$

← − Zp;         G xG x2G · · xqG         → → xq+1G Can we reduce DLog to q-DHE?

10

q-Strong Diffie-Hellman (Boneh Boyen 2004)

◮ Let (G1, G2, e) be a bilinear cyclic group of prime order p.

10

q-Strong Diffie-Hellman (Boneh Boyen 2004)

◮ Let (G1, G2, e) be a bilinear cyclic group of prime order p. x

$

← − Zp;           G1 G2 xG2 x2G2 · · xqG2           → →

• c,

1 (x + c)G1

10

q-Strong Diffie-Hellman (Boneh Boyen 2004)

◮ Let (G1, G2, e) be a bilinear cyclic group of prime order p. x

$

← − Zp;           G1 G2 xG2 x2G2 · · xqG2           → →

• c,

1 (x + c)G1

• Can we reduce DLog to q-SDH?

11

CDH DLog LRSW q-SDH Gap-DH

• ne-more DLog

q′′-DHE q′-DLog DHI SRDH

12

CDH DLog LRSW q-SDH Gap-DH

• ne-more DLog

q′′-DHE q′-DLog DHI SRDH

13

CDH DLog LRSW q-SDH Gap-DH

• ne-more DLog

q′′-DHE q′-DLog DHI SRDH ? ? ? ?

14

• 1. The Algebraic Group Model (FKL 2018)
• 2. Classification
• 3. Separation

15

( R, P)-uber assumption (Boneh Boyen Goh 2005)

◮ General idea: Describe many assumptions

15

( R, P)-uber assumption (Boneh Boyen Goh 2005)

◮ General idea: Describe many assumptions ◮ R ∈ Zp[X1, . . . , Xm]n, P ∈ Zp[X1, . . . , Xm]

15

( R, P)-uber assumption (Boneh Boyen Goh 2005)

◮ General idea: Describe many assumptions ◮ R ∈ Zp[X1, . . . , Xm]n, P ∈ Zp[X1, . . . , Xm]

• x

$

← − Zm

p ;

      R1 = R1( x)G R2 = R2( x)G · · Rn = Rn( x)G       → → P( x)G Easy if P ∈ Span( R) : P = aiRi ; P( x) = aiRi( x) ; P( x)G = aiRi Hard in the GGM if P ∈ Span( R) (non-triviality condition)

16

( R, P)-uber assumption (Boneh Boyen Goh 2005)

◮ General idea: Describe many assumptions (like CDH) ◮ R ∈ Zp[X1, . . . , Xm]n, P ∈ Zp[X1, . . . , Xm] (x, y)

$

← − Z2

p;

  R1 = R1( x)G (= 1G) R2 = R2( x)G (= xG) R3 = R3( x)G (= yG)   → → P( x)G (= xyG) Easy if P ∈ Span( R) : Easy if P ∈ Span( R) : P = aiRi ; P( x) = aiRi( x) ; P( x)G = aiRi Hard in the GGM if P ∈ Span( R) (non-triviality condition)

17

( R, P)-uber assumption (Boneh Boyen Goh 2005)

◮ General idea: Describe many assumptions (like q-DHE) ◮ R ∈ Zp[X1, . . . , Xm]n, P ∈ Zp[X1, . . . , Xm] x

$

← − Zp;         R1 = R1( x)G (= 1G) R2 = R2( x)G (= xG) R3 = R3( x)G (= x2G) · · Rn = Rn( x)G (= xqG)         → → P( x)G (= xq+1G) Easy if P ∈ Span( R) : P = aiRi ; P( x) = aiRi( x) ; P( x)G = aiRi

18

( R, P)-uber assumption (Boneh Boyen Goh 2005)

◮ General idea: Describe many assumptions ◮ R ∈ Zp[X1, . . . , Xm]n, P ∈ Zp[X1, . . . , Xm]

• x

$

← − Zm

p ;

      R1 = R1( x)G R2 = R2( x)G · · Rn = Rn( x)G       → → P( x)G ◮ Easy if P ∈ Span( R) :

18

( R, P)-uber assumption (Boneh Boyen Goh 2005)

◮ General idea: Describe many assumptions ◮ R ∈ Zp[X1, . . . , Xm]n, P ∈ Zp[X1, . . . , Xm]

• x

$

← − Zm

p ;

      R1 = R1( x)G R2 = R2( x)G · · Rn = Rn( x)G       → → P( x)G ◮ Easy if P ∈ Span( R) : P = aiRi

18

( R, P)-uber assumption (Boneh Boyen Goh 2005)

◮ General idea: Describe many assumptions ◮ R ∈ Zp[X1, . . . , Xm]n, P ∈ Zp[X1, . . . , Xm]

• x

$

← − Zm

p ;

      R1 = R1( x)G R2 = R2( x)G · · Rn = Rn( x)G       → → P( x)G ◮ Easy if P ∈ Span( R) : P = aiRi ; P( x) = aiRi( x)

18

( R, P)-uber assumption (Boneh Boyen Goh 2005)

◮ General idea: Describe many assumptions ◮ R ∈ Zp[X1, . . . , Xm]n, P ∈ Zp[X1, . . . , Xm]

• x

$

← − Zm

p ;

      R1 = R1( x)G R2 = R2( x)G · · Rn = Rn( x)G       → → P( x)G ◮ Easy if P ∈ Span( R) : P = aiRi ; P( x) = aiRi( x) ; P( x)G = aiRi

18

( R, P)-uber assumption (Boneh Boyen Goh 2005)

◮ General idea: Describe many assumptions ◮ R ∈ Zp[X1, . . . , Xm]n, P ∈ Zp[X1, . . . , Xm]

• x

$

← − Zm

p ;

      R1 = R1( x)G R2 = R2( x)G · · Rn = Rn( x)G       → → P( x)G ◮ Easy if P ∈ Span( R) : P = aiRi ; P( x) = aiRi( x) ; P( x)G = aiRi ◮ Hard in the GGM if P ∈ Span( R) (non-triviality condition)

19

q-Strong Diffie-Hellman (Boneh Boyen 2004)

x

$

← − Zp;           G1 G2 xG2 x2G2 · · xqG2           → →

• c,

1 (x + c)G1

20

q-Strong Diffie-Hellman (Boneh Boyen 2004)

x

$

← − Zp;           G1 G2 xG2 x2G2 · · xqG2           → →

• P ∈
• 1

X + c

• c∈Zp

, P(x)G1

21

Generalization

◮ Group → Bilinear Group (type 1, 2, 3)

21

Generalization

◮ Group → Bilinear Group (type 1, 2, 3) ◮ Polynomials → Rational fractions

21

Generalization

◮ Group → Bilinear Group (type 1, 2, 3) ◮ Polynomials → Rational fractions ◮ Constant targets → Flexible targets

22

q-DLog

◮ General idea: Generalize DLog assumption x

$

← − Zp;         G xG x2G · · xqG         → → x

23

Univariate case

◮ We can reduce q-DLog to a non-trivial ( R, P)-uber assumption:

23

Univariate case

◮ We can reduce q-DLog to a non-trivial ( R, P)-uber assumption: ◮ Let A an adversary against ((R1, . . . , Rn), P)-uber

23

Univariate case

◮ We can reduce q-DLog to a non-trivial ( R, P)-uber assumption: ◮ Let A an adversary against ((R1, . . . , Rn), P)-uber ◮ Let q such that ∀i : deg(Ri) ≤ q

23

Univariate case

◮ We can reduce q-DLog to a non-trivial ( R, P)-uber assumption: ◮ Let A an adversary against ((R1, . . . , Rn), P)-uber ◮ Let q such that ∀i : deg(Ri) ≤ q ◮ Let’s break q-DLog

23

Univariate case

◮ We can reduce q-DLog to a non-trivial ( R, P)-uber assumption: ◮ Let A an adversary against ((R1, . . . , Rn), P)-uber ◮ Let q such that ∀i : deg(Ri) ≤ q ◮ Let’s break q-DLog ◮ BA(X(0), X(1), . . . , X(q)):

23

Univariate case

◮ We can reduce q-DLog to a non-trivial ( R, P)-uber assumption: ◮ Let A an adversary against ((R1, . . . , Rn), P)-uber ◮ Let q such that ∀i : deg(Ri) ≤ q ◮ Let’s break q-DLog ◮ BA(X(0), X(1), . . . , X(q)):

◮ Ri := ri,jX(j)

23

Univariate case

◮ We can reduce q-DLog to a non-trivial ( R, P)-uber assumption: ◮ Let A an adversary against ((R1, . . . , Rn), P)-uber ◮ Let q such that ∀i : deg(Ri) ≤ q ◮ Let’s break q-DLog ◮ BA(X(0), X(1), . . . , X(q)):

◮ Ri := ri,jX(j) = Ri(x)G

23

Univariate case

◮ We can reduce q-DLog to a non-trivial ( R, P)-uber assumption: ◮ Let A an adversary against ((R1, . . . , Rn), P)-uber ◮ Let q such that ∀i : deg(Ri) ≤ q ◮ Let’s break q-DLog ◮ BA(X(0), X(1), . . . , X(q)):

◮ Ri := ri,jX(j) = Ri(x)G ◮ (P, a1, . . . , an) ← A(R1, . . . , Rn)

23

Univariate case

◮ We can reduce q-DLog to a non-trivial ( R, P)-uber assumption: ◮ Let A an adversary against ((R1, . . . , Rn), P)-uber ◮ Let q such that ∀i : deg(Ri) ≤ q ◮ Let’s break q-DLog ◮ BA(X(0), X(1), . . . , X(q)):

◮ Ri := ri,jX(j) = Ri(x)G ◮ (P, a1, . . . , an) ← A(R1, . . . , Rn) ; ( aiRi = P)

23

Univariate case

◮ We can reduce q-DLog to a non-trivial ( R, P)-uber assumption: ◮ Let A an adversary against ((R1, . . . , Rn), P)-uber ◮ Let q such that ∀i : deg(Ri) ≤ q ◮ Let’s break q-DLog ◮ BA(X(0), X(1), . . . , X(q)):

◮ Ri := ri,jX(j) = Ri(x)G ◮ (P, a1, . . . , an) ← A(R1, . . . , Rn) ; ( aiRi = P) ◮ {x∗

1 , . . . , x∗ q} ← Solve ( aiRi(X) = P(X))

23

Univariate case

◮ We can reduce q-DLog to a non-trivial ( R, P)-uber assumption: ◮ Let A an adversary against ((R1, . . . , Rn), P)-uber ◮ Let q such that ∀i : deg(Ri) ≤ q ◮ Let’s break q-DLog ◮ BA(X(0), X(1), . . . , X(q)):

◮ Ri := ri,jX(j) = Ri(x)G ◮ (P, a1, . . . , an) ← A(R1, . . . , Rn) ; ( aiRi = P) ◮ {x∗

1 , . . . , x∗ q} ← Solve ( aiRi(X) = P(X))

◮ Output x∗

i such that x∗ i G = X(1)

24

Generalization

◮ Uber:

◮ Group → Bilinear Group (type 1, 2, 3)

24

Generalization

◮ Uber:

◮ Group → Bilinear Group (type 1, 2, 3) ◮ Univariate → Multivariate (CDH) (embed the challenge in every coordinate: xi := yix + vi)

24

Generalization

◮ Uber:

◮ Group → Bilinear Group (type 1, 2, 3) ◮ Univariate → Multivariate (CDH) (embed the challenge in every coordinate: xi := yix + vi) ◮ Fixed targets → Flexible targets

24

Generalization

◮ Uber:

◮ Group → Bilinear Group (type 1, 2, 3) ◮ Univariate → Multivariate (CDH) (embed the challenge in every coordinate: xi := yix + vi) ◮ Fixed targets → Flexible targets A can choose P ∈ Span(R).

24

Generalization

◮ Uber:

◮ Group → Bilinear Group (type 1, 2, 3) ◮ Univariate → Multivariate (CDH) (embed the challenge in every coordinate: xi := yix + vi) ◮ Fixed targets → Flexible targets A can choose P ∈ Span(R).

◮ Ruber: Polynomials → Rational fractions (q-SDH) Druber: Add decisional oracles (Gap-DH) (New) Gegenuber: Constant generator → Flexible generator (LRSW) (New) A can choose G′ and return (G′, P( x)G′).

25

Gap-DH

C (G, xG, yG) xyG (z1z2

?

≡ z3) b

25

Gap-DH

C (G, xG, yG) xyG xyG (z1z2

?

≡ z3) b

25

Gap-DH

C (G, xG, yG) xyG xyG (Z1, Z2, Z3) (z1z2

?

≡ z3) (z1z2

?

≡ z3) b

26

Generalization

◮ Uber:

◮ Group → Bilinear Group (types 1, 2, 3) ◮ Univariate → Multivariate (CDH) (embed the challenge in every coordinate: xi := yiz + vi) ◮ Fixed targets → Flexible targets A can choose P ∈ Span(R)

◮ Ruber: Polynomials → Rational fractions (q-SDH)

26

Generalization

◮ Uber:

◮ Group → Bilinear Group (types 1, 2, 3) ◮ Univariate → Multivariate (CDH) (embed the challenge in every coordinate: xi := yiz + vi) ◮ Fixed targets → Flexible targets A can choose P ∈ Span(R)

◮ Ruber: Polynomials → Rational fractions (q-SDH) ◮ Druber: Add decisional oracles (Gap-DH) (New) Gegenuber: Constant generator → Flexible generator (LRSW) (New) A can choose G′ and return (G′, P( x)G′).

27

LRSW

→   m∗ a∗G a∗(x + m∗xy)G  

28

Generalization

◮ Uber:

◮ Group → Bilinear Group (types 1, 2, 3) ◮ Univariate → Multivariate (CDH) (embed the challenge in every coordinate: xi := yiz + vi) ◮ Fixed targets → Flexible targets A can choose P ∈ Span(R)

◮ Ruber: Polynomials → Rational fractions (q-SDH) ◮ Druber: Add decisional oracles (Gap-DH) (New)

28

Generalization

◮ Uber:

◮ Group → Bilinear Group (types 1, 2, 3) ◮ Univariate → Multivariate (CDH) (embed the challenge in every coordinate: xi := yiz + vi) ◮ Fixed targets → Flexible targets A can choose P ∈ Span(R)

◮ Ruber: Polynomials → Rational fractions (q-SDH) ◮ Druber: Add decisional oracles (Gap-DH) (New) ◮ Gegenuber: Constant generator → generate its own generator (LRSW) (New)

28

Generalization

◮ Uber:

◮ Group → Bilinear Group (types 1, 2, 3) ◮ Univariate → Multivariate (CDH) (embed the challenge in every coordinate: xi := yiz + vi) ◮ Fixed targets → Flexible targets A can choose P ∈ Span(R)

◮ Ruber: Polynomials → Rational fractions (q-SDH) ◮ Druber: Add decisional oracles (Gap-DH) (New) ◮ Gegenuber: Constant generator → generate its own generator (LRSW) (New) A can choose G′ and return (G′, P( x)G′).

29

DLog 2-DLog 3-DLog . . . q-DLog q-SDH q-DHI q-DHE Gap-DH CDH LRSW SRDH (q − 1)-DLog Can we do better?

30

DLog 2-DLog 3-DLog . . . q-DLog q-SDH q-DHI q-DHE Gap-DH CDH LRSW SRDH ? (q − 1)-DLog Can we do better?

31

DLog 2-DLog 3-DLog . . . q-DLog q-SDH q-DHI q-DHE Gap-DH CDH LRSW SRDH ? ? (q − 1)-DLog Can we do better?

32

• 1. The Algebraic Group Model (FKL 2018)
• 2. Classification
• 3. Separation

33

hardness

34

hardness

35

hardness

36

hardness

37

hardness Thm: If (q + 1)-DLog is q-DLog-hard.

38

hardness Thm: If (q + 1)-DLog is q-DLog-hard.

39

hardness Thm: If (q + 1)-DLog is q-DLog-hard. q-DLog ∈ FBPP.

40

hardness Thm: If (q + 1)-DLog is q-DLog-hard. q-DLog ∈ FBPP.

41

DLog 2-DLog 3-DLog . . . q-DLog q-SDH q-DHI q-DHE Gap-DH CDH LRSW SRDH (q − 1)-DLog

42

One-More Discrete Log

C (G, X, Y) I want TWO discrete logs! I will compute

• nly ONE discrete

log for you... Life is hard...

42

One-More Discrete Log

C (G, X, Y) I want TWO discrete logs! I want TWO discrete logs! I will compute

• nly ONE discrete

log for you... Life is hard...

42

One-More Discrete Log

C (G, X, Y) I want TWO discrete logs! I want TWO discrete logs! I will compute

• nly ONE discrete

log for you... Life is hard...

42

One-More Discrete Log

C (G, X, Y) I want TWO discrete logs! I want TWO discrete logs! I will compute

• nly ONE discrete

log for you... I will compute

• nly ONE discrete

log for you... Life is hard...

42

One-More Discrete Log

C (G, X, Y) I want TWO discrete logs! I want TWO discrete logs! I will compute

• nly ONE discrete

log for you... I will compute

• nly ONE discrete

log for you... Life is hard... Life is hard...

43

Thm: q-DLog does not imply One-More DLog in the AGM.

44

Thank you for your attention.