Secure Hashed Diffie-Hellman over Non-DDH Groups

We show that in applications that use the Diffie-Hellman (DH) transform but take care of hashing the DH output (as required, for example, for secure DH-based encryption and key exchange) the usual requirement to work over a DDH group, i.e., a group in which the Decisional Diffie-Hellman assumption holds, can be relaxed to only requiring that the DH group contains a large enough DDH subgroup. In particular, this implies the security of (hashed) Diffie-Hellman over non-prime order groups such as Z∗ p . Moreover, our results indicate that one can work directly over Z∗ p without requiring any knowledge of the prime factorization of p−1 and without even having to find a generator of Z∗ p . These results are obtained via a general characterization of DDH groups in terms of their DDH subgroups, and a relaxation (called t-DDH) of the DDH assumption via computational entropy. We also show that, under the short-exponent discretelog assumption, the security of the hashed Diffie-Hellman transform is preserved when replacing full exponents with short exponents.