Computational Diffie–Hellman assumption
||This article includes a list of references, related reading or external links, but its sources remain unclear because it lacks inline citations. (July 2015) (Learn how and when to remove this template message)|
Consider a cyclic group G of order q. The CDH assumption states that, given
for a randomly chosen generator g and random
it is computationally intractable to compute the value
The security of many cryptosystems is based on the CDH assumption. Also, the confidentiality of ElGamal encryption is equivalent to the CDH assumption (though the semantic security of the scheme is based on the decisional Diffie–Hellman assumption).
The CDH assumption is related to the discrete logarithm assumption, which holds that computing the discrete logarithm of a value base a generator is hard. If taking discrete logs in were easy, then the CDH assumption would be false: given
one could efficiently compute in the following way:
- compute by taking the discrete log of to base ;
- compute by exponentiation: ;
It is an open problem to determine whether the discrete log assumption is equivalent to CDH, though in certain special cases this can be shown to be the case.
The CDH assumption is also related to the decisional Diffie–Hellman assumption (DDH), which holds that it is hard to distinguish tuples of the form from random tuples. If computing from were easy, then one could detect DDH tuples trivially. It is believed that CDH is a weaker assumption than DDH: there are groups for which detecting DDH tuples is easy, but solving CDH problems is believed to be hard.
- Bao, Feng; Deng, Robert H.; Zhu, Huafei (2003), Variations of the Diffie–Hellman Problem (PDF)
- Maurer, Ueli M. (1994), Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms