DEFINITIONS AND PRELIMINARIES 47 scheme) Therefore, if we wish to make any meaningful statement about the

security of a scheme, we must place some kind of bound on the computational power of the attacker.

Even with this restriction we still run into problems. Any efficient proof of security that guaranteed the security of an algorithm in concrete terms would most likely prove the complexity-theoretic conjecture that P=NP. Whilst this is widely believed to be true, and despite many years of study, a proof has not yet been found. Any such proof would be a major step forward in the field of complexity theory. Therefore the best that one can reasonably hope for from a proof of security is that it relates the security of a scheme to the difficulty of solving some kind of underlying mathematical problem that is believed to be difficult to solve. In other words, even though we use the term “security proof”, our actual level of faith in the security of a scheme depends upon how difficult webelieve the underlying problem is.

There are three major underlying problems that have traditionally been used in proving the security of elliptic curve based cryptosystems. These are all based on the reputational security of the ECDH protocol (see Section I.3). The three traditional underlying problems are thecomputational Diffie– Hellman problem (CDH), thedecisional Diffie–Hellman problem (DDH) and thegap Diffie–Hellman problem (gap DH).

Definition_III.5. _{Let G be a cyclic group with prime order #G (and with} the group action written additively), and letP be a generator for G.

The computational Diffie–Hellman problem is the problem of finding[ab]P

when given ([a]P,[b]P). We assume that a and b are chosen uniformly at random from the set {1, . . . ,#G−1}.

The decisional Diffie–Hellman problem is the problem of deciding whether

[c]P = [ab]P when given ([a]P,[b]P,[c]P). We assume that a and b are chosen uniformly at random from the set {1, . . . ,#G−1} and c is either equal toab(with probability 1/2) or chosen uniformly at random from the set {1, . . . ,#G−1}(with probability 1/2). The advantage that an algorithm A has in solving the DDH problem is equal to

|P r[A correctly solves the DDH problem]−1/2|.

The gap Diffie–Hellman problem is the problem of solving the CDH prob- lem when there exists an efficient algorithm that solves the decisional Diffie– Hellman problem onG. In other words, the gap Diffie–Hellman problem is the problem of finding [ab]P when given ([a]P,[b]P)and access to an oracle that returns 1 when given a triple([α]P,[β]P,[αβ]P)and 0 otherwise. We assume that aandbare chosen uniformly at random from the set {1, . . . ,#G−1}.

Any algorithm that can solve the CDH problem on a group can also be used to solve the gap DH problem and the DDH problem. Hence it is better to try and show that a scheme can only be broken if the CDH problem is easy to solve, as this automatically tells us that the scheme can only be broken if

both the gap DH and DDH problems are easy to solve too. The assumption that the CDH problem is hard to solve is called the CDH assumption. The gap DH assumption and the DDH assumption are defined in the same way.

The difficulty of solving the CDH problem on an elliptic curve group is the same as the difficulty in breaking the ECDH protocol on that elliptic curve when the attacker has only seen one execution of that protocol. The ECDH protocol has been around for so long that it is trusted to be secure even though there exists no formal proof of security. There have been some results which suggest that the difficulty of breaking the ECDH protocol is related to the difficulty of solving the elliptic curve discrete logarithm problem, which is considered hard to solve in most elliptic curve groups (see [ECC, Chapter V]).

It is interesting that the security of almost all elliptic curve based cryp- tosystems has been based on the difficulty of breaking the Diffie–Hellman protocol because the Diffie–Hellman protocol is not restricted to elliptic curve groups: it can be applied to any cyclic group (although the resulting protocol may not be secure). Up until very recently there have been no underlying mathematical problems that have been used as a basis for a proof of security and which are specific to elliptic curves alone. Recently, however, cryptosys- tems have been developed that are based on certain properties of the Weil and Tate pairings. This will be explained more thoroughly in Chapter IX and Chapter X.

III.1.3. Security for Symmetric Cryptography. One of the problems with developing a security proof for ECIES is that it relies on undefined symmetric encryption and MAC schemes. Obviously, if the symmetric en- cryption scheme is weak and it is possible to derive information about the message from its symmetric encryption, then no amount of elliptic curve cryp- tography is going to make the ECIES encryption of the message secure. That the MAC algorithm is of equal importance takes a little more thought and is best illustrated by means of an example.

Suppose that the symmetric encryption scheme used in an instantiation of ECIES is a Vernam cipher. In a Vernam cipher a fixed-length message is XORed with a key of equal size in order to create a ciphertext. Decryption of a ciphertext is given by once again XORing the ciphertext with the key to give the original message. Suppose further that we remove the MAC algorithm from the ECIES scheme. This scheme is now definitely insecure against CCA2 attacks. Suppose that the challenge ciphertext C∗ = (U∗, c∗) is the ECIES encryption of a message m∗. (How this message is chosen and whether the attacker is playing the IND or OW game is irrelevant here.) This means that c∗ =m∗⊕k∗, wherek∗ is some symmetric key derived from the secret key xand U∗. An attacker can recoverk∗ by asking for the decryption of a ciphertext C = (U∗, c), wherec =c∗. If the decryption ofC is m, then the attacker knows thatk∗ =c⊕m, and he can easily recoverm∗ fromc∗andk∗.

III.1. DEFINITIONS AND PRELIMINARIES 49