The Distinction Between Fixed and Random Generators in Group-Based Assumptions

James Bartusek; Fermi Ma; Mark Zhandry

doi:10.1007/978-3-030-26951-7_27

The Distinction Between Fixed and Random Generators in Group-Based Assumptions

James Bartusek, Fermi Ma, Mark Zhandry

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

7 Scopus citations

Abstract

There is surprisingly little consensus on the precise role of the generator g in group-based assumptions such as DDH. Some works consider g to be a fixed part of the group description, while others take it to be random. We study this subtle distinction from a number of angles. In the generic group model, we demonstrate the plausibility of groups in which random-generator DDH (resp. CDH) is hard but fixed-generator DDH (resp. CDH) is easy. We observe that such groups have interesting cryptographic applications.We find that seemingly tight generic lower bounds for the Discrete-Log and CDH problems with preprocessing (Corrigan-Gibbs and Kogan, Eurocrypt 2018) are not tight in the sub-constant success probability regime if the generator is random. We resolve this by proving tight lower bounds for the random generator variants; our results formalize the intuition that using a random generator will reduce the effectiveness of preprocessing attacks.We observe that DDH-like assumptions in which exponents are drawn from low-entropy distributions are particularly sensitive to the fixed- vs. random-generator distinction. Most notably, we discover that the Strong Power DDH assumption of Komargodski and Yogev (Komargodski and Yogev, Eurocrypt 2018) used for non-malleable point obfuscation is in fact false precisely because it requires a fixed generator. In response, we formulate an alternative fixed-generator assumption that suffices for a new construction of non-malleable point obfuscation, and we prove the assumption holds in the generic group model. We also give a generic group proof for the security of fixed-generator, low-entropy DDH (Canetti, Crypto 1997).

Original language	English (US)
Title of host publication	Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings
Editors	Alexandra Boldyreva, Daniele Micciancio
Publisher	Springer Verlag
Pages	801-830
Number of pages	30
ISBN (Print)	9783030269500
DOIs	https://doi.org/10.1007/978-3-030-26951-7_27
State	Published - 2019
Event	39th Annual International Cryptology Conference, CRYPTO 2019 - Santa Barbara, United States Duration: Aug 18 2019 → Aug 22 2019

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11693 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	39th Annual International Cryptology Conference, CRYPTO 2019
Country/Territory	United States
City	Santa Barbara
Period	8/18/19 → 8/22/19

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-030-26951-7_27

Cite this

Bartusek, J., Ma, F., & Zhandry, M. (2019). The Distinction Between Fixed and Random Generators in Group-Based Assumptions. In A. Boldyreva, & D. Micciancio (Eds.), Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings (pp. 801-830). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11693 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-26951-7_27

Bartusek, James ; Ma, Fermi ; Zhandry, Mark. / The Distinction Between Fixed and Random Generators in Group-Based Assumptions. Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings. editor / Alexandra Boldyreva ; Daniele Micciancio. Springer Verlag, 2019. pp. 801-830 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{ffe4a3db77c244cf83f498c0bf5d86c3,

title = "The Distinction Between Fixed and Random Generators in Group-Based Assumptions",

abstract = "There is surprisingly little consensus on the precise role of the generator g in group-based assumptions such as DDH. Some works consider g to be a fixed part of the group description, while others take it to be random. We study this subtle distinction from a number of angles. In the generic group model, we demonstrate the plausibility of groups in which random-generator DDH (resp. CDH) is hard but fixed-generator DDH (resp. CDH) is easy. We observe that such groups have interesting cryptographic applications.We find that seemingly tight generic lower bounds for the Discrete-Log and CDH problems with preprocessing (Corrigan-Gibbs and Kogan, Eurocrypt 2018) are not tight in the sub-constant success probability regime if the generator is random. We resolve this by proving tight lower bounds for the random generator variants; our results formalize the intuition that using a random generator will reduce the effectiveness of preprocessing attacks.We observe that DDH-like assumptions in which exponents are drawn from low-entropy distributions are particularly sensitive to the fixed- vs. random-generator distinction. Most notably, we discover that the Strong Power DDH assumption of Komargodski and Yogev (Komargodski and Yogev, Eurocrypt 2018) used for non-malleable point obfuscation is in fact false precisely because it requires a fixed generator. In response, we formulate an alternative fixed-generator assumption that suffices for a new construction of non-malleable point obfuscation, and we prove the assumption holds in the generic group model. We also give a generic group proof for the security of fixed-generator, low-entropy DDH (Canetti, Crypto 1997).",

author = "James Bartusek and Fermi Ma and Mark Zhandry",

note = "Funding Information: We thank Justin Holmgren for collaboration in the early stages of this work and for contributing a number of extremely valuable insights. We also thank Alon Rosen for helpful feedback regarding exposition and presentation. This material is based upon work supported by the ARO and DARPA under Contract No. W911NF-15-C-0227. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the ARO and DARPA. Funding Information: This material is based upon work supported by the ARO and DARPA under Contract No. W911NF-15-C-0227. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the ARO and DARPA.; 39th Annual International Cryptology Conference, CRYPTO 2019 ; Conference date: 18-08-2019 Through 22-08-2019",

year = "2019",

doi = "10.1007/978-3-030-26951-7_27",

language = "English (US)",

isbn = "9783030269500",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "801--830",

editor = "Alexandra Boldyreva and Daniele Micciancio",

booktitle = "Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings",

address = "Germany",

}

Bartusek, J, Ma, F & Zhandry, M 2019, The Distinction Between Fixed and Random Generators in Group-Based Assumptions. in A Boldyreva & D Micciancio (eds), Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11693 LNCS, Springer Verlag, pp. 801-830, 39th Annual International Cryptology Conference, CRYPTO 2019, Santa Barbara, United States, 8/18/19. https://doi.org/10.1007/978-3-030-26951-7_27

The Distinction Between Fixed and Random Generators in Group-Based Assumptions. / Bartusek, James; Ma, Fermi; Zhandry, Mark.
Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings. ed. / Alexandra Boldyreva; Daniele Micciancio. Springer Verlag, 2019. p. 801-830 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11693 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - The Distinction Between Fixed and Random Generators in Group-Based Assumptions

AU - Bartusek, James

AU - Ma, Fermi

AU - Zhandry, Mark

N1 - Funding Information: We thank Justin Holmgren for collaboration in the early stages of this work and for contributing a number of extremely valuable insights. We also thank Alon Rosen for helpful feedback regarding exposition and presentation. This material is based upon work supported by the ARO and DARPA under Contract No. W911NF-15-C-0227. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the ARO and DARPA. Funding Information: This material is based upon work supported by the ARO and DARPA under Contract No. W911NF-15-C-0227. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the ARO and DARPA.

PY - 2019

Y1 - 2019

N2 - There is surprisingly little consensus on the precise role of the generator g in group-based assumptions such as DDH. Some works consider g to be a fixed part of the group description, while others take it to be random. We study this subtle distinction from a number of angles. In the generic group model, we demonstrate the plausibility of groups in which random-generator DDH (resp. CDH) is hard but fixed-generator DDH (resp. CDH) is easy. We observe that such groups have interesting cryptographic applications.We find that seemingly tight generic lower bounds for the Discrete-Log and CDH problems with preprocessing (Corrigan-Gibbs and Kogan, Eurocrypt 2018) are not tight in the sub-constant success probability regime if the generator is random. We resolve this by proving tight lower bounds for the random generator variants; our results formalize the intuition that using a random generator will reduce the effectiveness of preprocessing attacks.We observe that DDH-like assumptions in which exponents are drawn from low-entropy distributions are particularly sensitive to the fixed- vs. random-generator distinction. Most notably, we discover that the Strong Power DDH assumption of Komargodski and Yogev (Komargodski and Yogev, Eurocrypt 2018) used for non-malleable point obfuscation is in fact false precisely because it requires a fixed generator. In response, we formulate an alternative fixed-generator assumption that suffices for a new construction of non-malleable point obfuscation, and we prove the assumption holds in the generic group model. We also give a generic group proof for the security of fixed-generator, low-entropy DDH (Canetti, Crypto 1997).

AB - There is surprisingly little consensus on the precise role of the generator g in group-based assumptions such as DDH. Some works consider g to be a fixed part of the group description, while others take it to be random. We study this subtle distinction from a number of angles. In the generic group model, we demonstrate the plausibility of groups in which random-generator DDH (resp. CDH) is hard but fixed-generator DDH (resp. CDH) is easy. We observe that such groups have interesting cryptographic applications.We find that seemingly tight generic lower bounds for the Discrete-Log and CDH problems with preprocessing (Corrigan-Gibbs and Kogan, Eurocrypt 2018) are not tight in the sub-constant success probability regime if the generator is random. We resolve this by proving tight lower bounds for the random generator variants; our results formalize the intuition that using a random generator will reduce the effectiveness of preprocessing attacks.We observe that DDH-like assumptions in which exponents are drawn from low-entropy distributions are particularly sensitive to the fixed- vs. random-generator distinction. Most notably, we discover that the Strong Power DDH assumption of Komargodski and Yogev (Komargodski and Yogev, Eurocrypt 2018) used for non-malleable point obfuscation is in fact false precisely because it requires a fixed generator. In response, we formulate an alternative fixed-generator assumption that suffices for a new construction of non-malleable point obfuscation, and we prove the assumption holds in the generic group model. We also give a generic group proof for the security of fixed-generator, low-entropy DDH (Canetti, Crypto 1997).

UR - http://www.scopus.com/inward/record.url?scp=85071434916&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85071434916&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-26951-7_27

DO - 10.1007/978-3-030-26951-7_27

M3 - Conference contribution

AN - SCOPUS:85071434916

SN - 9783030269500

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 801

EP - 830

BT - Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings

A2 - Boldyreva, Alexandra

A2 - Micciancio, Daniele

PB - Springer Verlag

T2 - 39th Annual International Cryptology Conference, CRYPTO 2019

Y2 - 18 August 2019 through 22 August 2019

ER -

Bartusek J, Ma F, Zhandry M. The Distinction Between Fixed and Random Generators in Group-Based Assumptions. In Boldyreva A, Micciancio D, editors, Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings. Springer Verlag. 2019. p. 801-830. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-26951-7_27

The Distinction Between Fixed and Random Generators in Group-Based Assumptions

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this