Score:0

Security of a variant of DDH

cn flag

The standard DDH assumption states that given $(g,g^a,g^b,g^c)$, it is hard to determine whether $c$ is $ab$ or not.

A variant of DDH assumption is: given $(g,g^a,g^b,g^c, g^{ab} ,g^{bc},g^{ac})$, it is hard to whether the last three terms are random or not.

Is the variant still secure? If then, how to prove this?

filter hash avatar
cn flag
Let Adv be the advantage of a variant, and Adv_DDH be the that of DDH. Then, is it true that $Adv \le c* Adv_DDH$ for some constant $c$?
poncho avatar
my flag
What is the negative distribution (that is, the distribution the Oracle is expected to say 'false' to)? Is it $(g, g^a, g^b, g^c, g^d, g^e, g^f)$? Or, is it $(g, g^a, g^b, g^c, g^{ab}, g^{bc}, g^d)$ (for some ordering of the last three terms)?
filter hash avatar
cn flag
@poncho Thanks you for comments. $(g,g^a,g^b,g^c,g^d,g^e,g^f)$ is right. That is, the variant assumption is that any PPT adversary is hard to distinguish between $(g,g^a,g^b,g^c,g^d,g^e,g^f)$ and $(g,g^a,g^b,g^c,g^{ab},g^{bc},g^{ca})$. I think the advantage could be bound by $c\cdot Adv_{DDH}$ for some $c$ since given the challenging query $(g,g^a,g^b,g^c,g^d,g^e,g^f)$, if the adversary of the variant can access to an oracle for solving DDH, he can try all possible 3-tuples. Is it right?
kelalaka avatar
in flag
We had a similar question https://crypto.stackexchange.com/q/98535/18298
filter hash avatar
cn flag
@kelalaka Thank you
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.