new constructions and applications of trapdoor ddh groups
play

New Constructions and Applications of Trapdoor DDH Groups Yannick - PowerPoint PPT Presentation

Feb 04, 2023 •337 likes •954 views

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1, PKC 2013 Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 1 / 27 Introduction Introduction: CDH versus DDH group G , element G G of

  1. New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1, PKC 2013 Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 1 / 27

  2. Introduction Introduction: CDH versus DDH group G , element G ∈ G of large order CDH problem: given X = G x and Y = G y , compute G xy DDH problem: distinguish ( G x , G y , G xy ) and ( G x , G y , G z ) usual situations in cryptographic groups: CDH and DDH are both (presumably) hard 1 → e.g. prime order subgroup of Z ∗ p CDH is (presumably) hard and DDH is universally easy 2 → pairing groups Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 2 / 27

  3. Introduction Introduction: CDH versus DDH group G , element G ∈ G of large order CDH problem: given X = G x and Y = G y , compute G xy DDH problem: distinguish ( G x , G y , G xy ) and ( G x , G y , G z ) usual situations in cryptographic groups: CDH and DDH are both (presumably) hard 1 → e.g. prime order subgroup of Z ∗ p CDH is (presumably) hard and DDH is universally easy 2 → pairing groups Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 2 / 27

  4. Introduction Introduction: CDH versus DDH group G , element G ∈ G of large order CDH problem: given X = G x and Y = G y , compute G xy DDH problem: distinguish ( G x , G y , G xy ) and ( G x , G y , G z ) usual situations in cryptographic groups: CDH and DDH are both (presumably) hard 1 → e.g. prime order subgroup of Z ∗ p CDH is (presumably) hard and DDH is universally easy 2 → pairing groups Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 2 / 27

  5. Introduction Introduction: trapdoor DDH groups Trapdoor DDH groups (TDDH groups): lies somewhere between cases 1 and 2: → CDH is hard, while DDH is hard unless one has some trapdoor τ introduced by Dent and Galbraith [DG06] very few constructions (hidden pairing construction by [DG06]) very few applications: simple identification scheme [DG06] statistically hiding sets [PX09] Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 3 / 27

  6. Introduction Introduction: trapdoor DDH groups Trapdoor DDH groups (TDDH groups): lies somewhere between cases 1 and 2: → CDH is hard, while DDH is hard unless one has some trapdoor τ introduced by Dent and Galbraith [DG06] very few constructions (hidden pairing construction by [DG06]) very few applications: simple identification scheme [DG06] statistically hiding sets [PX09] Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 3 / 27

  7. Introduction Introduction: trapdoor DDH groups Trapdoor DDH groups (TDDH groups): lies somewhere between cases 1 and 2: → CDH is hard, while DDH is hard unless one has some trapdoor τ introduced by Dent and Galbraith [DG06] very few constructions (hidden pairing construction by [DG06]) very few applications: simple identification scheme [DG06] statistically hiding sets [PX09] Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 3 / 27

  8. Introduction Introduction: trapdoor DDH groups Trapdoor DDH groups (TDDH groups): lies somewhere between cases 1 and 2: → CDH is hard, while DDH is hard unless one has some trapdoor τ introduced by Dent and Galbraith [DG06] very few constructions (hidden pairing construction by [DG06]) very few applications: simple identification scheme [DG06] statistically hiding sets [PX09] Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 3 / 27

  9. Introduction In this paper Our contributions: we slightly refine the original definition of trapdoor DDH groups by [DG06] we introduce static trapdoor DDH groups we give new constructions of trapdoor DDH and static trapdoor DDH groups based on standard assumptions we show that (static) trapdoor DDH groups give very simple constructions of convertible undeniable signature schemes Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 4 / 27

  10. Introduction In this paper Our contributions: we slightly refine the original definition of trapdoor DDH groups by [DG06] we introduce static trapdoor DDH groups we give new constructions of trapdoor DDH and static trapdoor DDH groups based on standard assumptions we show that (static) trapdoor DDH groups give very simple constructions of convertible undeniable signature schemes Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 4 / 27

  11. Introduction In this paper Our contributions: we slightly refine the original definition of trapdoor DDH groups by [DG06] we introduce static trapdoor DDH groups we give new constructions of trapdoor DDH and static trapdoor DDH groups based on standard assumptions we show that (static) trapdoor DDH groups give very simple constructions of convertible undeniable signature schemes Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 4 / 27

  12. Introduction In this paper Our contributions: we slightly refine the original definition of trapdoor DDH groups by [DG06] we introduce static trapdoor DDH groups we give new constructions of trapdoor DDH and static trapdoor DDH groups based on standard assumptions we show that (static) trapdoor DDH groups give very simple constructions of convertible undeniable signature schemes Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 4 / 27

  13. Outline Outline Definition of Trapdoor DDH Groups 1 New Constructions of TDDH and Static TDDH Groups 2 A TDDH group based on composite residuosity A static TDDH group based on RSA A static TDDH group based on factoring Application to Convertible Undeniable Signatures 3 Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 5 / 27

  14. Definition of Trapdoor DDH Groups Outline Definition of Trapdoor DDH Groups 1 New Constructions of TDDH and Static TDDH Groups 2 A TDDH group based on composite residuosity A static TDDH group based on RSA A static TDDH group based on factoring Application to Convertible Undeniable Signatures 3 Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 6 / 27

  15. Definition of Trapdoor DDH Groups TDDH group: definition Trapdoor DDH group ( G , G , τ ) ← GpGen ( 1 k ) is a trapdoor DDH group if: 1 the DDH problem is hard for ( G , G ) without the trapdoor τ 2 the CDH problem is hard even with the trapdoor τ 3 there is a distinguishing algorithm Solve ( X , Y , Z , τ ) which: always accepts when ( X , Y , Z ) is a DDH tuple (completeness) accepts with negligible probability for any adversarially generated Z ← A ( X , Y ) (soundness) When Solve always rejects on input a non-DDH tuple ( X , Y , Z ) , we say that the TDDH group has perfect soundness. Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 7 / 27

  16. Definition of Trapdoor DDH Groups TDDH group: definition Trapdoor DDH group ( G , G , τ ) ← GpGen ( 1 k ) is a trapdoor DDH group if: 1 the DDH problem is hard for ( G , G ) without the trapdoor τ 2 the CDH problem is hard even with the trapdoor τ 3 there is a distinguishing algorithm Solve ( X , Y , Z , τ ) which: always accepts when ( X , Y , Z ) is a DDH tuple (completeness) accepts with negligible probability for any adversarially generated Z ← A ( X , Y ) (soundness) When Solve always rejects on input a non-DDH tuple ( X , Y , Z ) , we say that the TDDH group has perfect soundness. Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 7 / 27

  17. Definition of Trapdoor DDH Groups TDDH group: definition Trapdoor DDH group ( G , G , τ ) ← GpGen ( 1 k ) is a trapdoor DDH group if: 1 the DDH problem is hard for ( G , G ) without the trapdoor τ 2 the CDH problem is hard even with the trapdoor τ 3 there is a distinguishing algorithm Solve ( X , Y , Z , τ ) which: always accepts when ( X , Y , Z ) is a DDH tuple (completeness) accepts with negligible probability for any adversarially generated Z ← A ( X , Y ) (soundness) When Solve always rejects on input a non-DDH tuple ( X , Y , Z ) , we say that the TDDH group has perfect soundness. Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 7 / 27

  18. Definition of Trapdoor DDH Groups TDDH group: definition Trapdoor DDH group ( G , G , τ ) ← GpGen ( 1 k ) is a trapdoor DDH group if: 1 the DDH problem is hard for ( G , G ) without the trapdoor τ 2 the CDH problem is hard even with the trapdoor τ 3 there is a distinguishing algorithm Solve ( X , Y , Z , τ ) which: always accepts when ( X , Y , Z ) is a DDH tuple (completeness) accepts with negligible probability for any adversarially generated Z ← A ( X , Y ) (soundness) When Solve always rejects on input a non-DDH tuple ( X , Y , Z ) , we say that the TDDH group has perfect soundness. Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 7 / 27

  19. Definition of Trapdoor DDH Groups TDDH group: definition Trapdoor DDH group ( G , G , τ ) ← GpGen ( 1 k ) is a trapdoor DDH group if: 1 the DDH problem is hard for ( G , G ) without the trapdoor τ 2 the CDH problem is hard even with the trapdoor τ 3 there is a distinguishing algorithm Solve ( X , Y , Z , τ ) which: always accepts when ( X , Y , Z ) is a DDH tuple (completeness) accepts with negligible probability for any adversarially generated Z ← A ( X , Y ) (soundness) When Solve always rejects on input a non-DDH tuple ( X , Y , Z ) , we say that the TDDH group has perfect soundness. Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 7 / 27

Recommend

APPLICATIONS For applications of Constructions I and II we implicitly use the following result

APPLICATIONS For applications of Constructions I and II we implicitly use the following result

C ONSTRUCTION OF SIMPLE 3- DESIGNS USING RESOLUTION Tran van Trung Institut fr Experimentelle Mathematik Universitt Duisburg-Essen ALCOMA15 Kloster Banz, Germany March 1520, 2015 O UTLINE Generic constructions Applications (

468 views • 34 slides
Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

854 views • 32 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 10 Today: Constructions of

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 10 Today: Constructions of

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 10 Today: Constructions of Public-Key Encryption 1: Trapdoor Permutations (RSA) composite N/factoring 2: Quadratic Residuosity/Goldwasser-Micali composite N/factoring 3:

528 views • 39 slides
Construction groups 1 Watch Video 2 KUDUMBASHREE CONSTRUCTIONS (1/3) All women

Construction groups 1 Watch Video 2 KUDUMBASHREE CONSTRUCTIONS (1/3) All women

Kudumbashree Women Construction groups 1 Watch Video 2 KUDUMBASHREE CONSTRUCTIONS (1/3) All women construction group consisting of 8 women formed on 01.01.2014. They undertake construction activities like building plans, estimates,

570 views • 17 slides
A microscopic approach to Souslin trees constructions Forcing and its Applications Retrospective

A microscopic approach to Souslin trees constructions Forcing and its Applications Retrospective

A microscopic approach to Souslin trees constructions Forcing and its Applications Retrospective Workshop The Fields Institute, Toronto, Canada 01-April-2015 Assaf Rinot Bar-Ilan University 1 / 32 This is joint work with Ari M. Brodsky , and

2.24k views • 159 slides
Applications of gluing constructions in General Relativity Daniel Pollack University of

Applications of gluing constructions in General Relativity Daniel Pollack University of

Applications of gluing constructions in General Relativity Daniel Pollack University of Washington From Geometry to Numerics Institut Henri Poincar e (IHP) Paris, France Based on joint work with Piotr Chru sciel, James Isenberg and Rafe

310 views • 16 slides
The HISPACAT comparative database of syntactic constructions and its applications to syntactic

The HISPACAT comparative database of syntactic constructions and its applications to syntactic

Goals Theory Architecture Results Conclusions The HISPACAT comparative database of syntactic constructions and its applications to syntactic variation research Workshop on Research Infrastructure for Linguistic Variation Xavier Villalba

509 views • 20 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems .

345 views • 3 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Constructions and Applications for Accurate Counting of the Bloom Filter False Positive Free Zone

Constructions and Applications for Accurate Counting of the Bloom Filter False Positive Free Zone

Constructions and Applications for Accurate Counting of the Bloom Filter False Positive Free Zone Ori Rottenstreich Pedro Reviriego Ely Porat S. Muthukrishnan Technion Uni. Carlos III de Madrid Bar Ilan

461 views • 24 slides
Codes with locality: constructions and applications to cryptographic protocols Julien Lavauzelle

Codes with locality: constructions and applications to cryptographic protocols Julien Lavauzelle

Codes with locality: constructions and applications to cryptographic protocols Julien Lavauzelle cole Polytechnique & INRIA Saclay, Universit Paris-Saclay PhD defense 30/11/2018 Outline 1. Codes with locality Locality in coding

1.54k views • 104 slides
On algebraic constructions of graphs without small cycles and commutative diagrams and their

On algebraic constructions of graphs without small cycles and commutative diagrams and their

On algebraic constructions of graphs without small cycles and commutative diagrams and their applications On algebraic constructions of graphs without small cycles and commutative diagrams and their applications Vasyl Ustimenko and Urszula

632 views • 51 slides
Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions Introduction Hardness of Syndrome Decoding for

902 views • 59 slides
Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa

Multilinear maps from lattices Constructions, attacks, and applications Yilei Chen (Visa Research) Crypto Innovation School Shanghai 2019 1 What are multilinear maps? 2 3 Cool. So what are the multilinear maps in cryptography? 4

2.17k views • 147 slides
Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1

Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1

Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International 1 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing

925 views • 71 slides
Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD,

Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD,

Maximum rank distance codes: constructions, classifications, and applications John Sheekey UCD, Dublin, Ireland Dagstuhl, August 2016 Rank metric codes A rank metric code is a set C M m n ( F q ) of m n matrices ( m n ) over F q

1.02k views • 85 slides
Laguerre calculus on nilpotent Lie groups of step two and its applications 2019 Jubilee of

Laguerre calculus on nilpotent Lie groups of step two and its applications 2019 Jubilee of

Laguerre calculus on nilpotent Lie groups of step two and its applications 2019 Jubilee of Fourier Analysis and Applications in honor of Professor John Benedetto Norbert Wiener Center, Dept. of Math., UMCP Der-Chen Chang Georgetown University

437 views • 42 slides
Approximate groups and their applications: part 2 E. Breuillard Universit e Paris-Sud, Orsay

Approximate groups and their applications: part 2 E. Breuillard Universit e Paris-Sud, Orsay

Approximate groups and their applications: part 2 E. Breuillard Universit e Paris-Sud, Orsay St. Andrews, August 3-10, 2013 1 / 20 The sum-product phenomenon A precursor (historically) to approximate groups is the following result:

859 views • 41 slides
Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020)

Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020)

Chapter 9: Passive Constructions Syntactic Constructions in English Kim and Michaelis (2020) Syntactic Constructions Chapter 9 1 / 43 Introduction 1 2 The Relationship between Active and Passive Approaches to Passive 3 From Structural

597 views • 43 slides
x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

x ? ? ? ? computation easy One Way Hash Function (OWHF) h h h h h

ECRYPT Bart Preneel Emerging Topics in Cryptographic Design and Cryptanalysis Generic Constructions 30 April- 4 May 2007, Samos Greece for Iterated Hash Functions Outline Generic Constructions Generic Constructions for Iterated Hash

759 views • 10 slides
Towards Optimal Constructions of Towards Optimal Constructions of Dynamically Corrected Quantum

Towards Optimal Constructions of Towards Optimal Constructions of Dynamically Corrected Quantum

Second International Conference on Quantum Error Correction University of Southern California, Dec. 5-9 2011 Towards Optimal Constructions of Towards Optimal Constructions of Dynamically Corrected Quantum Gates Dynamically Corrected Quantum

700 views • 25 slides
New Constructions of RIP Matrices with Fast Multiplication and Fewer Rows aka, sparse recovery

New Constructions of RIP Matrices with Fast Multiplication and Fewer Rows aka, sparse recovery

New Constructions of RIP Matrices with Fast Multiplication and Fewer Rows aka, sparse recovery from Fourier -like measurements with applications to fast Johnson-Lindenstrauss transforms , etc. Jelani Nelson, Eric Price, and Mary Wootters February

394 views • 24 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm? Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische

922 views • 70 slides

More recommend