Extended-DDH and Lossy Trapdooer Functions
Brett Hemenway, Rafail Ostrovsky
Lossy Trapdoor Functions (LTFs) were introduced by Peikert and Waters in STOCâ€™08 and since then have found many applications and have proven to be an extremely useful and versatile cryptographic primitive. Lossy trapdoor functions were used to build the first injective trapdoor functions basede on DDH, the first IND-CCA crypttosystems based on lattice assumptions, and they are known to imply deterministic encryption, collision resistant hash â€“functions, oblivious transfer and host of other important primitives. While LTFs can be instantiated under most known cryptographic hardness assumptions, no constructions until today existed based on generic cryptographic primitives. In this work, we show that any homomorphic Smooth Hash Proof System, introduced by Cramer and Shoup in EUROCRYPTâ€™ 02 , can be used to construct LTFs. In addition to providing a connection between two important cryptographic primitives-our construction implies the first construction of the LFTs based on the QR assumption.
Smooth Hash Proof Systems (SHPs) can be seen as a generalization of the DDH assumption, yet can be built on other cryptographic assumptions, such as the DCR or QR assumptions. Yet, until today, a â€œtranslationâ€ of results proven secure under DDH to results under DCR or QR has always been fraught with difficulties. Thus, as our second goal of this paper, we ask the following question: Is it possible to streamline such translation from DDH to QR and other primitives? Our second result formally provides this connection. More. specifically, we define an extended Decisional Diffie Hellman (EDDH) assumption, which is a simple and natural generalization of DDH. We show that EDDH can be instantiated under both the DCR and QR assumptions. This gives a much simpler connection between the DDH and the DCR and QR assumptions and provides an easy way to translate proofs from DDH to DCR or QR. That is, the advantage of the EDDH assumption is that most schemes (including LTDs) proven secure under the DDH assumption can easily be instantiated under the DCR and QR assumptions with almost no change to their proofs of security.
comment: Cryptography 2012 PP: 627-643
Fetch PDF file of the paper
|Back to Publications List|