CSE 594 : Modern Cryptography 30 March 2017 Lecture 1 : Public Key Encryption : II

2 DDH Problem Definition : {x← Z∗ p , y ← Z∗ p : (gx, gy, gxy)} ≈c {x← Z∗ p , y ← Z∗ p , z ← Z∗ p : (gx, gy, gz)} DDH problem states that the above two tuples are completely indistinguishable. Zp = {0, 1, ..., p− 1} where p is a very large prime and Z∗ p contains all non-zero elements in above set such that gcd(x, p) = 1. gxy which is dependant of x and y looks totally indistinguisable from a completely random number gz. Since |Z∗ p | is p − 1 which is not prime makes the problem easier in some cases and taking discrete logs also becomes easy. The way around was to work with safe primes. We work with prime order sub-group of Z∗ p by picking a safe prime p = 2q + 1 where q is also prime and g = x 2 for a random x ∈ Z∗ p . In general you can work with any prime order subgroup of Z∗ p . Let Gq is the group generated by g = {g0, g1, ..., gq−1} and size of the group is q. So now instead of picking up elements directly from Z∗ p , if you pick up x and y from Gq and then compute the values for the tuple the problem becomes hard.