Rafail Ostrovsky - Publications

Extended-DDH and Lossy Trapdooer Functions

Brett Hemenway, Rafail Ostrovsky


Lossy Trapdoor Functions (LTFs) were introduced by Peikert and Waters in STOC’08 and since then have found many applications and have proven to be an extremely useful and versatile cryptographic primitive. Lossy trapdoor functions were used to build the first injective trapdoor functions basede on DDH, the first IND-CCA crypttosystems based on lattice assumptions, and they are known to imply deterministic encryption, collision resistant hash –functions, oblivious transfer and host of other important primitives. While LTFs can be instantiated under most known cryptographic hardness assumptions, no constructions until today existed based on generic cryptographic primitives. In this work, we show that any homomorphic Smooth Hash Proof System, introduced by Cramer and Shoup in EUROCRYPT’ 02 , can be used to construct LTFs. In addition to providing a connection between two important cryptographic primitives-our construction implies the first construction of the LFTs based on the QR assumption.

Smooth Hash Proof Systems (SHPs) can be seen as a generalization of the DDH assumption, yet can be built on other cryptographic assumptions, such as the DCR or QR assumptions. Yet, until today, a “translation” of results proven secure under DDH to results under DCR or QR has always been fraught with difficulties. Thus, as our second goal of this paper, we ask the following question: Is it possible to streamline such translation from DDH to QR and other primitives? Our second result formally provides this connection. More. specifically, we define an extended Decisional Diffie Hellman (EDDH) assumption, which is a simple and natural generalization of DDH. We show that EDDH can be instantiated under both the DCR and QR assumptions. This gives a much simpler connection between the DDH and the DCR and QR assumptions and provides an easy way to translate proofs from DDH to DCR or QR. That is, the advantage of the EDDH assumption is that most schemes (including LTDs) proven secure under the DDH assumption can easily be instantiated under the DCR and QR assumptions with almost no change to their proofs of security.

comment: Cryptography 2012 PP: 627-643

Fetch PDF file of the paper

Back to Publications List