Complexity Assumptions - Privacy-preserving access control techniques in distributed systems

2.5 Complexity Assumptions

In this section, we review the complexity assumptions used throughout this thesis.

2.5.1 Discrete Logarithm Assumption

The discrete logarithm (DL) assumption [Odl85] in a finite field is one of the basic assumptions in cryptography research. The DL assumption is defined as follows.

Definition 2.8 Discrete Logarithm (DL) Assumption [Odl85]. Let G(1^`) → (p,G) and G = hgi. Given (g, y) ∈ G², we say that the discrete logarithm assumption holds on G if no PPT adversary A can compute a x ∈ Zp such that y = g^x with the advantage

Adv_A^DL = Pr [y = g^x|A(p, g, y,G) → x] ≥ (`)

where the probability is taken over the random choice of y ∈ G and the bits consumed by the adversary A.

2.5.2 Computational Diffie-Hellman Assumption

Diffie and Hellman [DH76] proposed this assumption and constructed a key exchange scheme based on it. This assumption is defined as follows.

Definition 2.9 Computational Diffie-Hellman (CDH) Assumption [DH76]. Let x, y←^R Zp, G(1^`) → (p,G) and G = hgi. Given (g, g^x, g^y), we say that the computational Diffie-Hellman assumption holds on G if no PPT adversary A can compute g^xy with the advantage

Adv_A^CDH = Pr [A(g, g^x, g^y) → g^xy] ≥ (`)

where the probability is taken over the random choices of x, y ←^R Zp and the bits consumed by the adversary A.

Maurer [Mau94] discussed the relationships between DL assumption and CDH assumption.

2.5. Complexity Assumptions 14

2.5.3 Decisional Diflie-Hellman Assumption

Boneh [Bon98] surveyed the various applications of decisional Diffie-Hellman as-sumption and demonstrated some results regarding it security.

Definition 2.10 Decisional Diflie-Hellman (DDH) Assumption [Bon98]. Let x, y, z ←^R Zp, G(1^`) → (p,G) and G = hgi. Given (g, g^x, g^y), we say that the decisional Diffie-Hellman assumption holds on G if no PPT adversary A can distinguish (X, Y, Z) = (g^x, g^y, g^xy) from (X, Y, Z) = (g^x, g^y, g^z) with the advantage

Adv_A^DDH = |Pr[A(X, Y, g^xy) = 1] − Pr[A(X, Y, g^z) = 1]| ≥ (`)

where the probability is taken over the random choices x, y, z ←^R Zp and the bits consumed by the adversary A.

2.5.4 Computational Bilinear Diffie-Hellman

Boneh and Franklin [BF01] introduced this assumption. This assumption is as follows.

Definition 2.11 Computational Bilinear Diffie-Hellman (CBDH) Assumption [BF01].

Let GG(1^`) → (e, p,G, Gτ) and G = hgi. We say that the computational bilinear Diffie-Hellman assumption holds on (e, p,G, Gτ) if no PPT adversaries A can com-pute e(g, g)^abc from (A, B, C) = (g^a, g^b, g^c) with the advantage

Adv_A^CBDH = Pr

A(A, B, C) → e(g, g)^abc

≥ (`)

where the probability is taken over the random choices of a, b, c ←^R Zp and the bits consumed by A.

2.5.5 Decisional Bilinear Diffie-Hellman Assumption

Boneh and Franklin [BF01] introduced this assumption and used it to construct an identity-based encryption (IBE) scheme. This assumption is defined as follows.

Definition 2.12 Decisional Bilinear Diffie-Hellman (DBDH) Assumption [BF01]. Let a, b, c, z ←^R Zp, GG(1^`) → (e, p,G, Gτ) andG = hgi. We say that the decisional bilin-ear Diffie-Hellman assumption holds on (p, e,G, Gτ) if no PPT adversary A can dis-tinguish (A, B, C, Z) = (gâ, g^b, g^c, e(g, g)âbc) from (A, B, C, Z) = (gâ, g^b, g^c, e(g, g)^z) with the advantage

Adv_A^DBDH =

Pr[A(A, B, C, e(g, g)^abc) = 1] − Pr[A(A, B, C, e(g, g)^z) = 1]

≥ (`)

2.5. Complexity Assumptions 15

where the probability is taken over the random choices of a, b, c, z ←^R Zp and the bits consumed by the adversary A.

2.5.6 q-Strong Diffie-Hellman Assumption

Boneh and Boyen [BB04b] proposed this assumption and used it to develop a short signature scheme. This assumption is defined as follows.

Definition 2.13 q-Strong Diffie-Hellman (q-SDH) Assumption [BB04b]. Let x←^R Zp, GG(1^`) → (p, e, G1,G2,Gτ), G1 = hgi and G2 = hhi. Given a (q + 2)-tuple (g, h, h^x, · · · , h^x^q), we say that the q-strong Diffie-Hellman assumption holds on (p, e,G1,G2,Gτ) if no PPT adversary A can compute (c, g^x+c¹ ) with the advantage

Adv_A^q−SDH = Prh

A(g, h, h^x, · · · , g^x^q) → (c, g^x+c¹ )i

≥ (`)

where c ∈Z^∗_p and the probability is taken over the random choice of x←^R Z^∗_p and the bits consumed by the adversary A.

2.5.7 Chosen-Target Computational Diffie-Hellman Assump-tion

Boldyreva [Bol03] introduced this assumption and used it to design a blind signature scheme. This assumption is defined as follows.

Definition 2.14 Chosen-Target Computational Diffie-Hellman (CT-CDH) Assumption [Bol03]. Let x ←^R Zp, G(1^`) → (p,G) and G = hgi. Let H : {0, 1}^∗ → G be a cryptographic hash function. There are two oracles: target oracle TG(·) and help oracle HG(·). TG(·) takes as input i ∈ Zp and outputs gi ∈G. HG(·) takes as input gi ∈ G and outputs g_i^x ∈ G. Let qT and qH denote the number of times that the two oracles are queried, respectively. We say that the chosen-target computational Diffie-Hellman assumption holds on (p,G) if no PPT adversary A can have the advantage

Adv_A^{CT −CDH} = Pr

A^T^G^(·),H^G^(·)(p, H, g, g^x) → {(i1, θ1), · · · , (iq+1, θq+1)}

≥ (`) where gij ∈ {g₁, g2, · · · , gq+1}, θ_j = g^x_i_j for j = 1, 2, · · · , q + 1, and qH ≤ q < q_T.

The CT-CDH assumption is the analogous version of the chosen-target RSA inversion (RSA-CTI) assumption [BNPS02].

2.5. Complexity Assumptions 16

2.5.8 E Xtended Chosen-Target Computational Diffie-Hellman Assumption

Intuitively, in the above CT-CDH assumption, after the adversary A queries the help oracle H_G(·) on the elements in G at most qH times, he cannot compute a new element in G to the power of x if its discrete logarithm on the generator and the qH queried elements are unknown. Based on the CT-CDH assumption, we propose the extended CT-CDH (XCT-CDH) assumption, by replacing the target oracle in CT-CDH assumption with (qH + 1) random elements ofG.

Definition 2.15 EXtended Chosen-Target Computational Diffie-Hellman (XCT-CDH) Assumption. Let x←^R Zp, G(1^`) → (p,G) and G = hgi. Suppose that HG(·) be a help oracle which takes as input g_i ∈ G and outputs g_i^x ∈ G. Let qH be the number of the times which the oracle is queried. Given a (q + 1)-tuple (gâ¹, gâ², · · · , gâ^q+1), we say that the extended chosen-target computational Diffie-Hellman assumption holds on (p,G) if no PPT adversary A can have the advantage

Adv_A^{XCT −CDH} = Pr

A^H^G^(·)(p, g, g^x, g^a¹, · · · , g^a^q+1) → (g^xa¹, · · · , g^xa^q+1)

≥ (`) where ai

←R Zp for i = 1, 2, · · · , q + 1 and qH ≤ q.

We have the following result about CT-CDH assumption and XCT-CDH as-sumption.

Theorem 2.1 The extended chosen-target computational Diffie-Hellman assump-tion and the chosen-target Diffie-Hellman assumpassump-tion are equivalent.

Proof: Given the (q+1)-tuple {gâ¹, gâ², · · · , gâ^q+1} where a_i ←^R Zpfor i = 1, 2, · · · , q+

1, we define a function H : j → g^a^ij ∈ G, where aij ∈ {a1, a2, · · · , aq+1} for j = 1, 2, · · · , q + 1; otherwise H : j → g^b^j, where bj R

← Zp. So, H(·) is a cryp-tographic hash function 2.6.2, where the domain is Z⁺ and the range isG.

On the one hand, if an adversary A can break the CT-CDH assumption, we can construct an algorithm B that can use A to break the XCT-CDH assump-tion as follows. Given {gâ¹, gâ², · · · , gâ^q+1}, for q_T (qT ≤ q + 1) target oracle queries, B responds with gâⁱ¹, gâⁱ², · · · , gâîqT, where aij ∈ {a1, a2, · · · , aq+1} for j = 1, 2, · · · , qT. For qH (qH ≤ q) help oracle queries, B queries the help or-acle H_G(·) in the XCT-CDH assumption, and responds A with {g^xaⁱ¹, g^xaⁱ², · · · , g^xaîqH}, where a_i_j ∈ {a₁, a₂, · · · , a_q+1} for j = 1, 2, · · · , q_H. If A can output

In document Privacy-preserving access control techniques in distributed systems (Page 33-37)