Computational Diffie–Hellman assumption

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The computational Diffie–Hellman (CDH) assumption is a computational hardness assumption about the Diffie–Hellman problem.[1] The CDH assumption involves the problem of computing the discrete logarithm in cyclic groups. The CDH problem illustrates the attack of an eavesdropper in the Diffie–Hellman key exchange[2] protocol to obtain the exchanged secret key.


Consider a cyclic group G of order q. The CDH assumption states that, given

for a randomly chosen generator g and random

it is computationally intractable to compute the value

Relation to Discrete Logarithms[edit]

The CDH assumption is strongly related to the discrete logarithm assumption. If computing the discrete logarithm (base g ) in G were easy, then the CDH problem could be solved easily:


one could efficiently compute in the following way:

  • compute by taking the discrete log of to base ;
  • compute by exponentiation: ;

Computing the discrete logarithm is the only known method for solving the CDH problem. But there is no proof that it is, in fact, the only method. It is an open problem to determine whether the discrete log assumption is equivalent to the CDH assumption, though in certain special cases this can be shown to be the case.[3][4]

Relation to Decisional Diffie–Hellman Assumption[edit]

The CDH assumption is a weaker assumption than the Decisional Diffie–Hellman assumption (DDH assumption). If computing from was easy (CDH problem), then one could solve the DDH problem trivially.

Many cryptographic schemes that are constructed from the CDH problem rely in fact on the hardness of the DDH problem. The semantic security of the Diffie-Hellman Key Exchange as well as the security of the ElGamal encryption rely on the hardness of the DDH problem.

There are concrete constructions of groups where the stronger DDH assumption does not hold but the weaker CDH assumption still seems to be a reasonable hypothesis.[5]

Variations of the Computational Diffie–Hellman assumption[edit]

The following variations of the CDH problem have been studied and proven to be equivalent to the CDH problem:[6]

  • Square computational Diffie-Hellman problem (SCDH): On input , compute ;[7]
  • Inverse computational Diffie-Hellman problem (InvCDH): On input , compute ;[8]
  • Divisible computation Diffie-Hellman problem (DCDH): On input , compute ;

Variations of the Computational Diffie–Hellman assumption in product groups[edit]

Let and be two cyclic groups.

  • Computational co-Diffie–Hellman (co-CDH) problem: Given and , compute ;[9]


  1. ^ Bellare, Mihir; Rogaway, Phillip (2005), Introduction to Modern Cryptography (PDF)
  2. ^ Diffie, Whitfield; Hellman, Martin (1976), New directions in cryptography (PDF)
  3. ^ den Boer, Bert (1988), "Diffie-Hellman is as Strong as Discrete Log for Certain Primes" (PDF), Diffie–Hellman is as strong as discrete log for certain primes, Lecture Notes in Computer Science, 403, pp. 530–539, doi:10.1007/0-387-34799-2_38, ISBN 978-0-387-97196-4
  4. ^ Maurer, Ueli M. (1994), Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms, CiteSeerX
  5. ^ Joux, Antoine; Nguyen, Kim (2003), "Separating decision Diffie–Hellman from computational Diffie–Hellman in cryptographic groups", Journal of Cryptology, 16 (4): 239–247, doi:10.1007/s00145-003-0052-4
  6. ^ Bao, Feng; Deng, Robert H.; Zhu, Huafei (2003), Variations of the Diffie–Hellman Problem (PDF)
  7. ^ Burmester, Mike; Desmedt, Yvo; Seberry, Jeniffer (1998), "Equitable Key Escrow with Limited Time Span (or, How to Enforce Time Expiration Cryptographically) Extended Abstract" (PDF), Equitable key escrow with limited time span (or, how to enforce time expiration cryptographically), Lecture Notes in Computer Science, 1514, pp. 380–391, doi:10.1007/3-540-49649-1_30, ISBN 978-3-540-65109-3
  8. ^ Pfitzmann, Brigitte; Sadeghi, Ahmad-Reza (2000), "Anonymous fingerprinting with direct non-repudiation" (PDF), Advances in Cryptology — ASIACRYPT 2000, Lecture Notes in Computer Science, 1976, pp. 401–414, doi:10.1007/3-540-44448-3_31, ISBN 978-3-540-41404-9
  9. ^ Boneh, Dan; Lynn, Ben; Shacham, Hovav (2004), Short Signatures from the Weil Pairing (PDF), 17, pp. 297–319