Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden.
powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden.
powered by
Abstract
The generic-group model (\( \textrm{GGM}\)) aims to capture algorithms working over groups of prime order that only rely on the group operation, but do not exploit any additional structure given by the concrete implementation of the group. In it, it is possible to prove information-theoretic lower bounds on the hardness of problems like the discrete logarithm (DL) or computational Diffie-Hellman (CDH). Thus, since its introduction, it has served as a valuable tool to assess the concrete security provided by cryptographic schemes based on such problems. A work on the related algebraic-group model (AGM) introduced a method, used by many subsequent works, to adapt \( \textrm{GGM}\) lower bounds for one problem to another, by means of conceptually simple reductions.
In this work, we propose an alternative approach to extend \( \textrm{GGM}\) bounds from one problem to another. Following an idea by Yun [EC15], we show that, in the \( \textrm{GGM}\), the security of a large class of problems can be reduced to that of geometric search-problems. By reducing the security of the resulting geometric-search problems to variants of the search-by-hypersurface problem, for which information theoretic lower bounds exist, we give alternative proofs of several results that used the AGM approach.
The main advantage of our approach is that our reduction from geometric search-problems works, as well, for the \(\textrm{GGM}\) with preprocessing (more precisely the bit-fixing \( \textrm{GGM}\) introduced by Coretti, Dodis and Guo [Crypto18]). As a consequence, this opens up the possibility of transferring preprocessing \( \textrm{GGM}\) bounds from one problem to another, also by means of simple reductions. Concretely, we prove novel preprocessing bounds on the hardness of the d-strong discrete logarithm, the d-strong Diffie-Hellman inversion, and multi-instance CDH problems, as well as a large class of Uber assumptions. Additionally, our approach applies to Shoup’s GGM without additional restrictions on the query behavior of the adversary, while the recent works of Zhang, Zhou, and Katz [AC22] and Zhandry [Crypto22] highlight that this is not the case for the AGM approach.
Anzeige
Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.
We refer to these problems as geometric search-problems, since queries of this type can be seen as testing whether the hypersurface in \( \mathbb {Z}_p^t \) defined by \( \hat{F} \) contains \( \vec {x} \) or not.
Alternatively, one could also make this requirement explicit by changing the inputs to \( \textrm{Eval}\) to be a vector \( (a_0,\dots ,a_k)\in \mathbb {Z}_p^k \) and return whether \( \vec {x} \) lies on the hypersurface defined by \( a_0+\sum _{i=1}^k a_iF_i \). The requirement for solutions \( \hat{F}_i \) could be adapted accordingly.
As is the case for \( \textrm{Eval}\), oracle \( \textrm{Dec}\) corresponds to evaluating containment in a hypersurface, albeit, one of degree possibly higher than the ones in the linear span of the input polynomials. Thus, one could incorporate \( \textrm{Dec}_{W_i} \) into \( \textrm{Eval}\) by expanding the range of admissible polynomials for the latter from \( \textrm{Span}(1,F_1,\dots ,F_k) \) to also include polynomials of the form \( W_i(F'_1,\dots ,F'_{s_i})\in \mathbb {Z}_p[X_1,\dots ,X_t] \) for \( F'_j\in \textrm{Span}(1,F_1,\dots ,F_k) \). However, we decided to keep the oracles separated in order to have a clearer conceptual distinction between the group-operation oracle and decisional oracles.
We measure the running time of generic algorithms by their query count. So, both sampling from \( \mathcal {R}\) and checking whether \( \sigma \in \mathcal {R}\) need not be efficiently computable. We use this approach for ease of exposition, but point out that these operations can easily be adapted to be done efficiently by sampling \( \mathcal {R}\) on the fly.