Computational Diffie–Hellman Assumption

The computational Diffie–Hellman (CDH) assumption is a computational hardness assumption about the Diffie–Hellman problem.
The CDH assumption involves the problem of computing the discrete logarithm in cyclic groups. The CDH problem illustrates the attack of an eavesdropper in the Diffie–Hellman key exchange protocol to obtain the exchanged secret key.

Definition

Consider a cyclic group ''G'' of order ''q''. The CDH assumption states that, given

:$(g,g^a,g^b) \,$

for a randomly chosen generator ''g'' and random

:$a,b \in \,\,$

it is computationally intractable to compute the value

:$g^. \,$

Relation to Discrete Logarithms

The CDH assumption is strongly related to the discrete logarithm assumption. If computing the discrete logarithm (base ''g'' ) in ''G'' were easy, then the CDH problem could be solved easily:

Given

:$(g,g^a,g^b), \,$

one could efficiently compute $g^$ in the following way:

* compute $a$ by taking the discrete log of $g^a$ to base $g$;
* compute $g^$ by exponentiation: $g^ = (g^b)^a$;

Computing the discrete logarithm is the only known method for solving the CDH problem. But there is no proof that it is, in fact, the only method. It is an open problem to determine whether the discrete log assumption is equivalent to the CDH assumption, though in certain special cases this can be shown to be the case.

Relation to Decisional Diffie–Hellman Assumption

The CDH assumption is a ''weaker'' assumption than the Decisional Diffie–Hellman assumption (DDH assumption). If computing $g^$ from $(g,g^a,g^b)$ was easy (CDH problem), then one could solve the DDH problem trivially.

Many cryptographic schemes that are constructed from the CDH problem rely in fact on the hardness of the DDH problem. The semantic security of the Diffie-Hellman Key Exchange as well as the security of the ElGamal encryption rely on the hardness of the DDH problem.

There are concrete constructions of groups where the stronger DDH assumption does not hold but the weaker CDH assumption still seems to be a reasonable hypothesis.

Variations of the Computational Diffie–Hellman assumption

The following variations of the CDH problem have been studied and proven to be equivalent to the CDH problem:
* Square computational Diffie-Hellman problem (SCDH): On input $g, g^x$, compute $g^$;
* Inverse computational Diffie-Hellman problem (InvCDH): On input $g, g^x$, compute $g^$;
* Divisible computation Diffie-Hellman problem (DCDH): On input $g, g^x, g^y$, compute $g^$;

Variations of the Computational Diffie–Hellman assumption in product groups

Let $G_1$ and $G_2$ be two cyclic groups.
* Co-Computational Diffie–Hellman (co-CDH) problem: Given $g, g^a \in G_1$ and $h \in G_2$, compute $h^a \in G_2$;

References

{{DEFAULTSORT:Computational Diffie-Hellman assumption
Computational hardness assumptions