Decisional Linear Assumption
   HOME

TheInfoList



Click Here for Items Related To - Decisional Linear Assumption
OR:
Decisional Linear Assumption on:   [Wikipedia]   [Google]   [Amazon]

The Decision Linear (DLIN) assumption is a
computational hardness assumption In computational complexity theory, a computational hardness assumption is the hypothesis that a particular problem cannot be solved efficiently (where ''efficiently'' typically means "in polynomial time"). It is not known how to prove (uncondition ...
used in
elliptic curve cryptography Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provide e ...
. In particular, the DLIN assumption is useful in settings where the decisional Diffie–Hellman assumption does not hold (as is often the case in
pairing-based cryptography Pairing-based cryptography is the use of a pairing between elements of two cryptographic groups to a third group with a mapping e :G_1 \times G_2 \to G_T to construct or analyze cryptographic systems. Definition The following definition is commonly ...
). The Decision Linear assumption was introduced by Boneh, Boyen, and Shacham.
Dan Boneh Dan Boneh (; he, דן בונה) is an Israeli-American professor in applied cryptography and computer security at Stanford University. In 2016, Boneh was elected a member of the National Academy of Engineering for contributions to the theory an ...
, Xavier Boyen, Hovav Shacham
Short Group Signatures
CRYPTO 2004: 41–55 Informally the DLIN assumption states that given (u, \, v, \, h, \, u^x, \, v^y), with u, \, v, \, h random group elements and x, \, y random exponents, it is hard to distinguish h^ from an independent random group element \eta.


Motivation

In symmetric
pairing-based cryptography Pairing-based cryptography is the use of a pairing between elements of two cryptographic groups to a third group with a mapping e :G_1 \times G_2 \to G_T to construct or analyze cryptographic systems. Definition The following definition is commonly ...
the group G is equipped with a pairing e :G \times G \to T which is bilinear. This map gives an efficient algorithm to solve the decisional Diffie-Hellman problem. Given input (g, \, g^a, \, g^b, \, h), it is easy to check if h is equal to g^. This follows by using the pairing: note that :e(g^a, g^b) = e(g,g)^ = e(g,g^). Thus, if h = g^, then the values e(g^a, g^b) and e(g,h) will be equal. Since this cryptographic assumption, essential to building
ElGamal encryption In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1985. ElGamal encryption is used in th ...
and
signatures A signature (; from la, signare, "to sign") is a Handwriting, handwritten (and often Stylization, stylized) depiction of someone's name, nickname, or even a simple "X" or other mark that a person writes on documents as a proof of identity and ...
, does not hold in this case, new assumptions are needed to build cryptography in symmetric bilinear groups. The DLIN assumption is a modification of Diffie-Hellman type assumptions to thwart the above attack.


Formal definition

Let G be a
cyclic group In group theory, a branch of abstract algebra in pure mathematics, a cyclic group or monogenous group is a group, denoted C''n'', that is generated by a single element. That is, it is a set of invertible elements with a single associative bina ...
of
prime A prime number (or a prime) is a natural number greater than 1 that is not a product of two smaller natural numbers. A natural number greater than 1 that is not prime is called a composite number. For example, 5 is prime because the only ways ...
order Order, ORDER or Orders may refer to: * Categorization, the process in which ideas and objects are recognized, differentiated, and understood * Heterarchy, a system of organization wherein the elements have the potential to be ranked a number of d ...
p. Let u, v, and h be uniformly random generators of G. Let a,b be uniformly random elements of \. Define a distribution :D_1 = (u, \, v, \, h, \, u^a, \, v^b, \, h^). Let \eta be another uniformly random element of G. Define another distribution :D_2 = (u, \, v, \, h, \, u^a, \, v^b, \, \eta). The Decision Linear assumption states that D_1 and D_2 are
computationally indistinguishable In Analysis of algorithms, computational complexity and cryptography, two families of distributions are computationally indistinguishable if no efficient algorithm can tell the difference between them except with negligible probability. Formal def ...
.


Applications


Linear encryption

Boneh, Boyen, and Shacham define a
public key encryption Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...
scheme by analogy to ElGamal encryption. In this scheme, a public key is the generators u,v,h. The private key is two exponents such that u^x = v^y = h. Encryption combines a message m \in G with the public key to create a ciphertext :c := (c_1, \, c_2, \, c_3) = (u^a, \, v^b, \, m \cdot h^). To decrypt the ciphertext, the private key can be used to compute :m' := c_3 \cdot (c_1^x \cdot c_2^y)^. To check that this encryption scheme is correct, i.e. m' = m when both parties follow the protocol, note that :m' = c_3 \cdot (c_1^x \cdot c_2^y)^ = m \cdot h^ \cdot ((u^a)^x \cdot (v^b)^y)^ = m \cdot h^ \cdot ((u^x)^a \cdot (v^y)^b)^. Then using the fact that u^x = v^y = h yields :m' = m \cdot h^ \cdot (h^a \cdot h^b)^ = m \cdot (h^ \cdot h^) = m. Further, this scheme is
IND-CPA Ciphertext indistinguishability is a property of many encryption schemes. Intuitively, if a cryptosystem possesses the property of indistinguishability, then an adversary will be unable to distinguish pairs of ciphertexts based on the message th ...
secure Secure may refer to: * Security, being protected against danger or loss(es) **Physical security, security measures that are designed to deny unauthorized access to facilities, equipment, and resources **Information security, defending information ...
assuming that the DLIN assumption holds.


Short group signatures

Boneh, Boyen, and Shacham also use DLIN in a scheme for group signatures. The signatures are called "short group signatures" because, with a standard
security level In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of "bits of security" (also security strength ...
, they can be represented in only 250
bytes The byte is a unit of digital information that most commonly consists of eight bits. Historically, the byte was the number of bits used to encode a single character of text in a computer and for this reason it is the smallest addressable unit ...
. Their protocol first uses linear encryption in order to define a special type of
zero-knowledge proof In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true while the prover avoids conveying any additional information a ...
. Then the
Fiat–Shamir heuristic In cryptography, the Fiat–Shamir heuristic is a technique for taking an interactive proof of knowledge and creating a digital signature based on it. This way, some fact (for example, knowledge of a certain secret number) can be publicly proven wi ...
is applied to transform the proof system into a
digital signature A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...
. They prove this signature fulfills the additional requirements of unforgeability, anonymity, and traceability required of a group signature. Their proof relies on not only the DLIN assumption but also another assumption called the q-strong Diffie-Hellman assumption. It is proven in the
random oracle model In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time t ...
.


Other applications

Since its definition in 2004, the Decision Linear assumption has seen a variety of other applications. These include the construction of a
pseudorandom function In cryptography, a pseudorandom function family, abbreviated PRF, is a collection of efficiently-computable functions which emulate a random oracle in the following way: no efficient algorithm can distinguish (with significant advantage) betwee ...
that generalizes the Naor-Reingold construction, an
attribute-based encryption Attribute-based encryption is a type of public-key encryption in which the secret key of a user and the ciphertext are dependent upon attributes (e.g. the country in which they live, or the kind of subscription they have). In such a system, the decr ...
scheme, and a special class of non-interactive zero-knowledge proofs. Benoît Libert, Thomas Peters, Marc Joye,
Moti Yung Mordechai M. "Moti" Yung is a cryptographer and computer scientist known for his work on cryptovirology and kleptography. Career Yung earned his PhD from Columbia University in 1988 under the supervision of Zvi Galil. In the past, he worked at the ...

Compactly Hiding Linear Spans
ASIACRYPT 2015: 681-707


References

{{Cryptography navbox Computational hardness assumptions Elliptic curve cryptography Pairing-based cryptography