DDH-Like Assumptions Based on Extension Rings

We introduce and study a new type of DDH-like assumptions based on groups of prime order q. Whereas standard DDH is based on encoding elements of Fq “in the exponent” of elements in the group, we ask what happens if instead we put in the exponent elements of the extension ring Rf = Fq[X]/(f) where f is a degree-d polynomial. The decision problem that follows naturally reduces to the case where f is irreducible. This variant is called the d-DDH problem, where 1DDH is standard DDH. We show in the generic group model that dDDH is harder than DDH for d > 1 and that we obtain, in fact, an infinite hierarchy of progressively weaker assumptions whose complexities lie “between” DDH and CDH. This leads to a large number of new schemes because virtually all known DDH-based constructions can very easily be upgraded to be based on d-DDH. We use the same construction and security proof but get better security and moreover, the amortized complexity (e.g, computation per encrypted bit) is the same as when using DDH. We also show that d-DDH, just like DDH, is easy in bilinear groups. We therefore suggest a different type of assumption, the d-vector DDH problems (d-VDDH), which are based on f(X) = X, but with a twist to avoid problems with reducible polynomials. We show in the generic group model that d-VDDH is hard in bilinear groups and that the problems become harder with increasing d. We show that hardness of d-VDDH implies CCA-secure encryption, efficient Naor-Reingold style pseudorandom functions, and auxiliary input secure encryption. This can be seen as an alternative to the known family of k-LIN assumptions.