# Computational Diffie–Hellman assumption

The computational Diffie–Hellman (CDH) assumption is a computational hardness assumption about the Diffie–Hellman problem.[1] The CDH assumption involves the problem of computing the discrete logarithm in cyclic groups. The CDH problem illustrates the attack of an eavesdropper in the Diffie–Hellman key exchange[2] protocol to obtain the exchanged secret key.

## Definition

Consider a cyclic group G of order q. The CDH assumption states that, given

${\displaystyle (g,g^{a},g^{b})\,}$

for a randomly chosen generator g and random

${\displaystyle a,b\in \{0,\ldots ,q-1\},\,}$

it is computationally intractable to compute the value

${\displaystyle g^{ab}.\,}$

## Relation to Discrete Logarithms

The CDH assumption is strongly related to the discrete logarithm assumption. If computing the discrete logarithm (base g ) in G were easy, then the CDH problem could be solved easily:

Given

${\displaystyle (g,g^{a},g^{b}),\,}$

one could efficiently compute ${\displaystyle g^{ab}}$ in the following way:

• compute ${\displaystyle a}$ by taking the discrete log of ${\displaystyle g^{a}}$ to base ${\displaystyle g}$;
• compute ${\displaystyle g^{ab}}$ by exponentiation: ${\displaystyle g^{ab}=(g^{b})^{a}}$;

Computing the discrete logarithm is the only known method for solving the CDH problem. But there is no proof that it is, in fact, the only method. It is an open problem to determine whether the discrete log assumption is equivalent to the CDH assumption, though in certain special cases this can be shown to be the case.[3][4]

## Relation to Decisional Diffie–Hellman Assumption

The CDH assumption is a weaker assumption than the Decisional Diffie–Hellman assumption (DDH assumption). If computing ${\displaystyle g^{ab}}$ from ${\displaystyle (g,g^{a},g^{b})}$ was easy (CDH problem), then one could solve the DDH problem trivially.

Many cryptographic schemes that are constructed from the CDH problem rely in fact on the hardness of the DDH problem. The semantic security of the Diffie–Hellman key exchange as well as the security of the ElGamal encryption rely on the hardness of the DDH problem.

There are concrete constructions of groups where the stronger DDH assumption does not hold but the weaker CDH assumption still seems to be a reasonable hypothesis.[5]

## Variations of the Computational Diffie–Hellman assumption

The following variations of the CDH problem have been studied and proven to be equivalent to the CDH problem:[6]

• Square computational Diffie–Hellman problem (SCDH): On input ${\displaystyle g,g^{x}}$, compute ${\displaystyle g^{x^{2}}}$;[7]
• Inverse computational Diffie–Hellman problem (InvCDH): On input ${\displaystyle g,g^{x}}$, compute ${\displaystyle g^{x^{-1}}}$;[8]
• Divisible computation Diffie–Hellman problem (DCDH): On input ${\displaystyle g,g^{x},g^{y}}$, compute ${\displaystyle g^{y/x}}$;

## Variations of the Computational Diffie–Hellman assumption in product groups

Let ${\displaystyle G_{1}}$ and ${\displaystyle G_{2}}$ be two cyclic groups.

• Co-Computational Diffie–Hellman (co-CDH) problem: Given ${\displaystyle g,g^{a}\in G_{1}}$ and ${\displaystyle h\in G_{2}}$, compute ${\displaystyle h^{a}\in G_{2}}$;[9]

## References

1. ^ Bellare, Mihir; Rogaway, Phillip (2005), Introduction to Modern Cryptography (PDF)
2. ^ Diffie, Whitfield; Hellman, Martin (1976), New directions in cryptography (PDF)
3. ^ den Boer, Bert (1988), Diffie–Hellman is as strong as discrete log for certain primes (PDF), Lecture Notes in Computer Science, vol. 403, pp. 530–539, doi:10.1007/0-387-34799-2_38, ISBN 978-0-387-97196-4
4. ^ Maurer, Ueli M. (1994), Towards the Equivalence of Breaking the Diffie–Hellman Protocol and Computing Discrete Logarithms, CiteSeerX 10.1.1.26.530
5. ^ Joux, Antoine; Nguyen, Kim (2003), "Separating decision Diffie–Hellman from computational Diffie–Hellman in cryptographic groups", Journal of Cryptology, 16 (4): 239–247, doi:10.1007/s00145-003-0052-4
6. ^ Bao, Feng; Deng, Robert H.; Zhu, Huafei (2003), Variations of the Diffie–Hellman Problem (PDF)
7. ^ Burmester, Mike; Desmedt, Yvo; Seberry, Jeniffer (1998), "Equitable Key Escrow with Limited Time Span (or, How to Enforce Time Expiration Cryptographically) Extended Abstract" (PDF), Equitable key escrow with limited time span (or, how to enforce time expiration cryptographically), Lecture Notes in Computer Science, vol. 1514, pp. 380–391, doi:10.1007/3-540-49649-1_30, ISBN 978-3-540-65109-3
8. ^ Pfitzmann, Brigitte; Sadeghi, Ahmad-Reza (2000), "Anonymous fingerprinting with direct non-repudiation" (PDF), Advances in Cryptology — ASIACRYPT 2000, Lecture Notes in Computer Science, vol. 1976, pp. 401–414, doi:10.1007/3-540-44448-3_31, ISBN 978-3-540-41404-9
9. ^ Boneh, Dan; Lynn, Ben; Shacham, Hovav (2004), "Short Signatures from the Weil Pairing" (PDF), Journal of Cryptology, 17 (4): 297–319, doi:10.1007/s00145-004-0314-9, S2CID 929219