On the q-Strong Diffie-Hellman Problem

This note is an exposition of reductions among the q-strong Diffie-Hellman problem and related problems. 1 The q-Strong Diffie-Hellman Problem We discuss reductions among the q-strong Diffie-Hellman (q-sDH) problem [1, 3] and related problems. We use the following notation: 1. G1 and G2 are two cyclic groups of prime order p. 2. g1 is a generator of G1 and g2 is a generator of G2. 3. ψ is an isomorphism from G2 to G1, with ψ(g2) = g1. 1.1 The q-Strong Diffie-Hellman Problem over Two Groups Boneh and Boyen defined the q-strong Diffie-Hellman (q-sDH) problem in the Eurocrypt 2004 paper [1] as follows: Definition 1 (q-strong Diffie-Hellman Problem). Assume that ψ is efficiently computable. For an randomly chosen element x ∈ Zp and a random generator g2 ∈ G2, the q-strong Diffie-Hellman Problem is, given (g1, g2, gx 2 , g x2 2 , . . . , g xq 2 ) ∈ G1 × G q+1 2 , to compute a pair (g 1/(x+c) 1 , c) ∈ G1 × Zp. This q-sDH problem is defined based on two groups G1 and G2. We call this problem the Eurocrypt 2004 version q-sDH problem. They defined a variant of the q-sDH problem in the Journal of Cryptology paper [2] as follows: Definition 2 (q-strong Diffie-Hellman Problem (Journal of Cryptology version)). For an randomly chosen element x ∈ Zp and random generators g1 ∈ G1, g2 ∈ G2, the q-strong DiffieHellman Problem is, given (g1, gx 1 , g x2 1 , . . . , g xq 1 , g2, g x 2 ) ∈ G q+1 1 ×G2, to compute a pair (g 1/(x+c) 1 , c) ∈ G1 × Zp. They said that this Journal of Cryptology version q-sDH problem is harder than the Eurocrypt 2004 version q-sDH problem, as ψ is the former no longer requires the existence of efficiently computable isomorphism ψ. We easily see that the Eurocrypt 2004 version problem is reducible to the Journal of Cryptology version problem as follows: for a given (g1, g2, gx 2 , g x2 2 , . . . , g xq 2 ), we compute gx i 1 = ψ(g xi 2 ) for i (1 ≤ i ≤ q) to obtain (g1, gx 1 , gx 2 1 , . . . , g xq 1 , g2, g x 2 ), input it to the oracle of the Journal of Cryptology version problem, and finally obtain (g 1 , c). They [2] also said that when G1 = G2, the pair (g2, gx 2 ) is redundant. Actually, in this case, the Journal of Cryptology version q-sDH problem is equivalent to the following problem: Definition 3 (one-generator q-strong Diffie-Hellman Problem). For an randomly chosen element x ∈ Zp and a random generators g1 ∈ G1, the one-generator q-strong Diffie-Hellman Problem is, given (g1, gx 1 , g x2 1 , . . . , g xq 1 ) ∈ G q+1 1 , to compute a pair (g 1/(x+c) 1 , c) ∈ G1 × Zp. We call this problem one-generator q-strong Diffie-Hellman (one-generator q-sDH) problem. 1 This note is based on the first author’s master thesis. 1.2 The q-Strong Diffie-Hellman Problem over Single Group Here we assume that G1 = G2 and discuss reductions among the q-sDH problem over a single group and its variants. Recall that the one-generator q-sDH problem is also defined over a single group. As in the previous section, the original q-sDH (the Eurocrypt 2004 version q-sDH) problem is also reducible to the Journal of Cryptology version q-sDH problem in the single group setting G1 = G2, and then is reducible to the one-generator q-sDH problem. [the original q-sDH problem (G1 = G2)] ≤ [the JoC version problem (G1 = G2)] ≡ [the one-generator q-sDH problem] We review other two variants of q-sDH problem defined over a single group, q-weak DiffieHellman problem and exponent q-strong Diffie-Hellman Problem. Mitsunari et al. [5] defined the q-weak Diffie-Hellman (q-wDH) problem as follows: Definition 4 (q-weak Diffie-Hellman Problem). For an randomly chosen element x ∈ Zp and a random generators g1 ∈ G1, the q-weak Diffie-Hellman Problem is, given (g1, gx 1 , gx 2 1 , . . . , g xq 1 ) ∈ G 1 , to compute an element g 1/x 1 ∈ G1. Zhang et al. [7] defined the following variant problem: Definition 5 (exponent q-strong Diffie-Hellman Problem). For an randomly chosen element x ∈ Zp and a random generators g1 ∈ G1, the exponent q-strong Diffie-Hellman Problem is, given (g1, gx 1 , g x2 1 , . . . , g xq 1 ) ∈ G q+1 1 , to compute an element g xq+1 1 ∈ G1. This problem is deeply investigated by Cheon [4]. Zhang et al. [7] showed that the q-wDH problem is equivalent to the exponent q-sDH problem. [the q-wDH problem] ≡ [the exponent q-sDH problem] Reardon [6] showed that the one-generator q-sDH problem is reducible to the q-wDH problem. [the one-generator q-sDH problem] ≤ [the q-wDH problem] We summarize the reductions that appears in the subsection: [the original q-sDH problemm (G1 = G2)] ≤ [the JoC version problem (G1 = G2)] ≡ [the one-generator q-sDH problem] ≤ [the q-wDH problem] ≡ [the exponent q-sDH problem]