Join Log in
Score:0
filter hash avatar Crypto

Security of a variant of DDH

cn flag
filter hash

The standard DDH assumption states that given $(g,g^a,g^b,g^c)$, it is hard to determine whether $c$ is $ab$ or not.

A variant of DDH assumption is: given $(g,g^a,g^b,g^c, g^{ab} ,g^{bc},g^{ac})$, it is hard to whether the last three terms are random or not.

Is the variant still secure? If then, how to prove this?

51
0 + 0
filter hash avatar
cn flag
filter hash
Let Adv be the advantage of a variant, and Adv_DDH be the that of DDH. Then, is it true that $Adv \le c* Adv_DDH$ for some constant $c$?
0
Reply
poncho avatar
my flag
poncho
What is the negative distribution (that is, the distribution the Oracle is expected to say 'false' to)? Is it $(g, g^a, g^b, g^c, g^d, g^e, g^f)$? Or, is it $(g, g^a, g^b, g^c, g^{ab}, g^{bc}, g^d)$ (for some ordering of the last three terms)?
0
Reply
filter hash avatar
cn flag
filter hash
@poncho Thanks you for comments. $(g,g^a,g^b,g^c,g^d,g^e,g^f)$ is right. That is, the variant assumption is that any PPT adversary is hard to distinguish between $(g,g^a,g^b,g^c,g^d,g^e,g^f)$ and $(g,g^a,g^b,g^c,g^{ab},g^{bc},g^{ca})$. I think the advantage could be bound by $c\cdot Adv_{DDH}$ for some $c$ since given the challenging query $(g,g^a,g^b,g^c,g^d,g^e,g^f)$, if the adversary of the variant can access to an oracle for solving DDH, he can try all possible 3-tuples. Is it right?
0
Reply
kelalaka avatar
in flag
kelalaka
We had a similar question https://crypto.stackexchange.com/q/98535/18298
1
Reply
filter hash avatar
cn flag
filter hash
@kelalaka Thank you
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.