首页 > 其他分享 >52 Things: Number 11: What are the DLP, CDH and DDH problems?

52 Things: Number 11: What are the DLP, CDH and DDH problems?

时间:2024-04-11 12:55:53浏览次数:24  
标签:11 What CDH Alice DDH ga gab DLP

52 Things: Number 11: What are the DLP, CDH and DDH problems?

52 件事: 数字 11:DLP、CDH 和 DDH 问题是什么?

  This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. This blog is the second in the section on Mathematical Background and concerns how group operations can be used to design cryptographic primitives.
这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的 52 件事来做密码学”列表:一组问题汇编,让博士生在第一年结束时了解他们应该知道什么。这篇博客是数学背景部分的第二篇,涉及如何使用组操作来设计加密基元。

As you probably know by now, cryptography often relies on 'hard problems'. That is, we design cryptographic protocols whose security can be proven if we assume that the adversary is unable to solve a certain (mathematical) problem in a reasonable amount of time. This blog post introduces three such problems which are widely used in security proofs. Luckily for me, a) this is really just Group Theory, not Computer Science and b) just two days before writing this I attended a very decent guest lecture by fellow Bristol Crypto researcher Susan Thomson on this exact topic. (That is to say, any inaccuracies in the following can and should be blamed on her!)
正如您现在可能知道的那样,密码学通常依赖于“难题”。也就是说,我们设计了加密协议,如果我们假设对手无法在合理的时间内解决某个(数学)问题,则可以证明其安全性。这篇博文介绍了三个在安全证明中广泛使用的问题。幸运的是,a)这真的只是群论,而不是计算机科学,b)就在写这篇文章的前两天,我参加了布里斯托尔加密研究员Susan Thomson关于这个确切主题的非常体面的客座讲座。(也就是说,以下任何不准确之处都可以而且应该归咎于她!

The Discrete Logarithm Problem (DLP)
离散对数问题 (DLP)

Okay, let <span id="MathJax-Span-2" class="mrow"><span id="MathJax-Span-3" class="mi">G be an abelian group. First we write the operation in <span id="MathJax-Span-5" class="mrow"><span id="MathJax-Span-6" class="mi">G multiplicatively. For any <span id="MathJax-Span-8" class="mrow"><span id="MathJax-Span-9" class="mi">g<span id="MathJax-Span-10" class="mo">&isin;<span id="MathJax-Span-11" class="mi">G and any integer <span id="MathJax-Span-13" class="mrow"><span id="MathJax-Span-14" class="mi">a<span id="MathJax-Span-15" class="mo">&gt;<span id="MathJax-Span-16" class="mn">1 let <span id="MathJax-Span-18" class="mrow"><span id="MathJax-Span-19" class="msubsup"><span id="MathJax-Span-20" class="mi">g<span id="MathJax-Span-21" class="mi">a denote <span id="MathJax-Span-23" class="mrow"><span id="MathJax-Span-24" class="mi">g<span id="MathJax-Span-25" class="mo">&lowast;<span id="MathJax-Span-26" class="mi">g<span id="MathJax-Span-27" class="mo">&lowast;<span id="MathJax-Span-28" class="mo">.<span id="MathJax-Span-29" class="mo">.<span id="MathJax-Span-30" class="mo">.<span id="MathJax-Span-31" class="mo">&lowast;<span id="MathJax-Span-32" class="mi">g with <span id="MathJax-Span-34" class="mrow"><span id="MathJax-Span-35" class="mi">a occurrences of <span id="MathJax-Span-37" class="mrow"><span id="MathJax-Span-38" class="mi">g. The discrete logarithm problem (DLP) is:
好吧,让我们 <span id="MathJax-Span-2" class="mrow"><span id="MathJax-Span-3" class="mi">G 成为一个阿贝尔小组。首先,我们 <span id="MathJax-Span-5" class="mrow"><span id="MathJax-Span-6" class="mi">G 用乘法写入运算。对于任何 <span id="MathJax-Span-8" class="mrow"><span id="MathJax-Span-9" class="mi">g<span id="MathJax-Span-10" class="mo">&isin;<span id="MathJax-Span-11" class="mi">G 和任意整数, <span id="MathJax-Span-13" class="mrow"><span id="MathJax-Span-14" class="mi">a<span id="MathJax-Span-15" class="mo">&gt;<span id="MathJax-Span-16" class="mn">1 请 <span id="MathJax-Span-18" class="mrow"><span id="MathJax-Span-19" class="msubsup"><span id="MathJax-Span-20" class="mi">g<span id="MathJax-Span-21" class="mi">a 用 <span id="MathJax-Span-34" class="mrow"><span id="MathJax-Span-35" class="mi">a 的 <span id="MathJax-Span-37" class="mrow"><span id="MathJax-Span-38" class="mi">g 出现次数表示 <span id="MathJax-Span-23" class="mrow"><span id="MathJax-Span-24" class="mi">g<span id="MathJax-Span-25" class="mo">&lowast;<span id="MathJax-Span-26" class="mi">g<span id="MathJax-Span-27" class="mo">&lowast;<span id="MathJax-Span-28" class="mo">.<span id="MathJax-Span-29" class="mo">.<span id="MathJax-Span-30" class="mo">.<span id="MathJax-Span-31" class="mo">&lowast;<span id="MathJax-Span-32" class="mi">g 。离散对数问题 (DLP) 为:
  Given <span id="MathJax-Span-40" class="mrow"><span id="MathJax-Span-41" class="mi">G, <span id="MathJax-Span-43" class="mrow"><span id="MathJax-Span-44" class="mi">g and <span id="MathJax-Span-46" class="mrow"><span id="MathJax-Span-47" class="mi">h<span id="MathJax-Span-48" class="mo">=<span id="MathJax-Span-49" class="msubsup"><span id="MathJax-Span-50" class="mi">g<span id="MathJax-Span-51" class="mi">a, find <span id="MathJax-Span-53" class="mrow"><span id="MathJax-Span-54" class="mi">a.
给定 <span id="MathJax-Span-40" class="mrow"><span id="MathJax-Span-41" class="mi">G 和 <span id="MathJax-Span-43" class="mrow"><span id="MathJax-Span-44" class="mi">g <span id="MathJax-Span-46" class="mrow"><span id="MathJax-Span-47" class="mi">h<span id="MathJax-Span-48" class="mo">=<span id="MathJax-Span-49" class="msubsup"><span id="MathJax-Span-50" class="mi">g<span id="MathJax-Span-51" class="mi">a ,找到 <span id="MathJax-Span-53" class="mrow"><span id="MathJax-Span-54" class="mi">a 。 
Here <span id="MathJax-Span-56" class="mrow"><span id="MathJax-Span-57" class="mi">a is called the discrete logarithm of <span id="MathJax-Span-59" class="mrow"><span id="MathJax-Span-60" class="mi">h with base <span id="MathJax-Span-62" class="mrow"><span id="MathJax-Span-63" class="mi">g, hence the name of the problem.
这里 <span id="MathJax-Span-56" class="mrow"><span id="MathJax-Span-57" class="mi">a 称为 <span id="MathJax-Span-59" class="mrow"><span id="MathJax-Span-60" class="mi">h 的离散对数 <span id="MathJax-Span-62" class="mrow"><span id="MathJax-Span-63" class="mi">g ,因此问题的名称。

Is the discrete logarithm problem hard? Sometimes, maybe. As a counter-example, let <span id="MathJax-Span-65" class="mrow"><span id="MathJax-Span-66" class="mi">G be the integers under addition. So now it makes sense to write the group operation additively, not multiplicatively. So the same process of repeating the group operation with the same element <span id="MathJax-Span-68" class="mrow"><span id="MathJax-Span-69" class="mi">g is now written <span id="MathJax-Span-71" class="mrow"><span id="MathJax-Span-72" class="mi">g<span id="MathJax-Span-73" class="mo">+<span id="MathJax-Span-74" class="mi">g<span id="MathJax-Span-75" class="mo">+<span id="MathJax-Span-76" class="mo">.<span id="MathJax-Span-77" class="mo">.<span id="MathJax-Span-78" class="mo">.<span id="MathJax-Span-79" class="mo">+<span id="MathJax-Span-80" class="mi">g with, say, <span id="MathJax-Span-82" class="mrow"><span id="MathJax-Span-83" class="mi">a summands and, since we're working in the integers, this sum, call it <span id="MathJax-Span-85" class="mrow"><span id="MathJax-Span-86" class="mi">h, is just equal to the integer <span id="MathJax-Span-88" class="mrow"><span id="MathJax-Span-89" class="mi">a<span id="MathJax-Span-90" class="mi">g. Therefore <span id="MathJax-Span-92" class="mrow"><span id="MathJax-Span-93" class="mi">a, the discrete logarithm of <span id="MathJax-Span-95" class="mrow"><span id="MathJax-Span-96" class="mi">h to the base <span id="MathJax-Span-98" class="mrow"><span id="MathJax-Span-99" class="mi">g, can be found by just dividing <span id="MathJax-Span-101" class="mrow"><span id="MathJax-Span-102" class="mi">h by <span id="MathJax-Span-104" class="mrow"><span id="MathJax-Span-105" class="mi">g. For example, if I say to you, "find the discrete logarithm to the base 3 of 18 in the integers under addition", you'd just write <span id="MathJax-Span-107" class="mrow"><span id="MathJax-Span-108" class="mn">3<span id="MathJax-Span-109" class="mo">+<span id="MathJax-Span-110" class="mn">3<span id="MathJax-Span-111" class="mo">+<span id="MathJax-Span-112" class="mo">.<span id="MathJax-Span-113" class="mo">.<span id="MathJax-Span-114" class="mo">.<span id="MathJax-Span-115" class="mo">+<span id="MathJax-Span-116" class="mn">3<span id="MathJax-Span-117" class="mo">=<span id="MathJax-Span-118" class="mn">18 with <span id="MathJax-Span-120" class="mrow"><span id="MathJax-Span-121" class="mi">a summands on the left, simplify this to <span id="MathJax-Span-123" class="mrow"><span id="MathJax-Span-124" class="mn">3<span id="MathJax-Span-125" class="mi">a<span id="MathJax-Span-126" class="mo">=<span id="MathJax-Span-127" class="mn">18 and find that <span id="MathJax-Span-129" class="mrow"><span id="MathJax-Span-130" class="mi">a<span id="MathJax-Span-131" class="mo">=<span id="MathJax-Span-132" class="mn">6. I could change the group to integers modulo <span id="MathJax-Span-134" class="mrow"><span id="MathJax-Span-135" class="mi">N for some integer <span id="MathJax-Span-137" class="mrow"><span id="MathJax-Span-138" class="mi">N<span id="MathJax-Span-139" class="mo">&gt;<span id="MathJax-Span-140" class="mn">1 (still under addition) but the problem wouldn't be much harder: one has to solve an equation like <span id="MathJax-Span-142" class="mrow"><span id="MathJax-Span-143" class="mi">a<span id="MathJax-Span-144" class="mi">g<span id="MathJax-Span-145" class="mo">&equiv;<span id="MathJax-Span-146" class="mi">h<span id="MathJax-Span-147" class="mspace"><span id="MathJax-Span-148" class="mo">(<span id="MathJax-Span-149" class="texatom"><span id="MathJax-Span-150" class="mrow"><span id="MathJax-Span-151" class="mi">m<span id="MathJax-Span-152" class="mi">o<span id="MathJax-Span-153" class="mi">d<span id="MathJax-Span-154" class="mspace"><span id="MathJax-Span-155" class="mi">N<span id="MathJax-Span-156" class="mo">) which is solved by performing the Extended Euclidean Algorithm to find <span id="MathJax-Span-158" class="mrow"><span id="MathJax-Span-159" class="msubsup"><span id="MathJax-Span-160" class="mi">g<span id="MathJax-Span-161" class="texatom"><span id="MathJax-Span-162" class="mrow"><span id="MathJax-Span-163" class="mo">&minus;<span id="MathJax-Span-164" class="mn">1<span id="MathJax-Span-165" class="mspace"><span id="MathJax-Span-166" class="mo">(<span id="MathJax-Span-167" class="texatom"><span id="MathJax-Span-168" class="mrow"><span id="MathJax-Span-169" class="mi">m<span id="MathJax-Span-170" class="mi">o<span id="MathJax-Span-171" class="mi">d<span id="MathJax-Span-172" class="mspace"><span id="MathJax-Span-173" class="mi">N<span id="MathJax-Span-174" class="mo">) (if it exists), multiplying this by <span id="MathJax-Span-176" class="mrow"><span id="MathJax-Span-177" class="mi">h and reducing modulo <span id="MathJax-Span-179" class="mrow"><span id="MathJax-Span-180" class="mi">N to obtain <span id="MathJax-Span-182" class="mrow"><span id="MathJax-Span-183" class="mi">a. All of this is can be done in polynomial time - no good for building secure cryptographic primitives.
离散对数问题难吗?有时,也许。作为反例,假设 <span id="MathJax-Span-65" class="mrow"><span id="MathJax-Span-66" class="mi">G 是加法下的整数。因此,现在以加法而不是乘法方式编写组运算是有意义的。因此,现在用 summands 编写了使用相同元素 <span id="MathJax-Span-68" class="mrow"><span id="MathJax-Span-69" class="mi">g 重复组运算的相同过程,并且由于我们在整数中工作,因此这个总和(称为 <span id="MathJax-Span-85" class="mrow"><span id="MathJax-Span-86" class="mi">h )刚好等于整数 <span id="MathJax-Span-88" class="mrow"><span id="MathJax-Span-89" class="mi">a<span id="MathJax-Span-90" class="mi">g 。 <span id="MathJax-Span-71" class="mrow"><span id="MathJax-Span-72" class="mi">g<span id="MathJax-Span-73" class="mo">+<span id="MathJax-Span-74" class="mi">g<span id="MathJax-Span-75" class="mo">+<span id="MathJax-Span-76" class="mo">.<span id="MathJax-Span-77" class="mo">.<span id="MathJax-Span-78" class="mo">.<span id="MathJax-Span-79" class="mo">+<span id="MathJax-Span-80" class="mi">g <span id="MathJax-Span-82" class="mrow"><span id="MathJax-Span-83" class="mi">a 因此 <span id="MathJax-Span-92" class="mrow"><span id="MathJax-Span-93" class="mi">a ,底的 <span id="MathJax-Span-95" class="mrow"><span id="MathJax-Span-96" class="mi">h 离散对数 <span id="MathJax-Span-98" class="mrow"><span id="MathJax-Span-99" class="mi">g 可以通过 <span id="MathJax-Span-101" class="mrow"><span id="MathJax-Span-102" class="mi">h 除以 <span id="MathJax-Span-104" class="mrow"><span id="MathJax-Span-105" class="mi">g 得到。例如,如果我对你说,“在加法下的整数中找到以 3 的 18 为底的离散对数”,你只需在左边 <span id="MathJax-Span-107" class="mrow"><span id="MathJax-Span-108" class="mn">3<span id="MathJax-Span-109" class="mo">+<span id="MathJax-Span-110" class="mn">3<span id="MathJax-Span-111" class="mo">+<span id="MathJax-Span-112" class="mo">.<span id="MathJax-Span-113" class="mo">.<span id="MathJax-Span-114" class="mo">.<span id="MathJax-Span-115" class="mo">+<span id="MathJax-Span-116" class="mn">3<span id="MathJax-Span-117" class="mo">=<span id="MathJax-Span-118" class="mn">18 写 <span id="MathJax-Span-120" class="mrow"><span id="MathJax-Span-121" class="mi">a 求和,将其简化为 <span id="MathJax-Span-123" class="mrow"><span id="MathJax-Span-124" class="mn">3<span id="MathJax-Span-125" class="mi">a<span id="MathJax-Span-126" class="mo">=<span id="MathJax-Span-127" class="mn">18 并找到 <span id="MathJax-Span-129" class="mrow"><span id="MathJax-Span-130" class="mi">a<span id="MathJax-Span-131" class="mo">=<span id="MathJax-Span-132" class="mn">6 .对于某些整数(仍在加法中),我可以将该组更改为整数模 <span id="MathJax-Span-134" class="mrow"><span id="MathJax-Span-135" class="mi">N ,但问题不会更难:必须求解一个方程,例如 <span id="MathJax-Span-142" class="mrow"><span id="MathJax-Span-143" class="mi">a<span id="MathJax-Span-144" class="mi">g<span id="MathJax-Span-145" class="mo">&equiv;<span id="MathJax-Span-146" class="mi">h<span id="MathJax-Span-147" class="mspace"><span id="MathJax-Span-148" class="mo">(<span id="MathJax-Span-149" class="texatom"><span id="MathJax-Span-150" class="mrow"><span id="MathJax-Span-151" class="mi">m<span id="MathJax-Span-152" class="mi">o<span id="MathJax-Span-153" class="mi">d<span id="MathJax-Span-154" class="mspace"><span id="MathJax-Span-155" class="mi">N<span id="MathJax-Span-156" class="mo">) 通过执行扩展欧几里得算法求解 <span id="MathJax-Span-158" class="mrow"><span id="MathJax-Span-159" class="msubsup"><span id="MathJax-Span-160" class="mi">g<span id="MathJax-Span-161" class="texatom"><span id="MathJax-Span-162" class="mrow"><span id="MathJax-Span-163" class="mo">&minus;<span id="MathJax-Span-164" class="mn">1<span id="MathJax-Span-165" class="mspace"><span id="MathJax-Span-166" class="mo">(<span id="MathJax-Span-167" class="texatom"><span id="MathJax-Span-168" class="mrow"><span id="MathJax-Span-169" class="mi">m<span id="MathJax-Span-170" class="mi">o<span id="MathJax-Span-171" class="mi">d<span id="MathJax-Span-172" class="mspace"><span id="MathJax-Span-173" class="mi">N<span id="MathJax-Span-174" class="mo">) (如果存在),将其乘以 <span id="MathJax-Span-176" class="mrow"><span id="MathJax-Span-177" class="mi">h 并减少模 <span id="MathJax-Span-179" class="mrow"><span id="MathJax-Span-180" class="mi">N 以获得 <span id="MathJax-Span-182" class="mrow"><span id="MathJax-Span-183" class="mi">a 。 <span id="MathJax-Span-137" class="mrow"><span id="MathJax-Span-138" class="mi">N<span id="MathJax-Span-139" class="mo">&gt;<span id="MathJax-Span-140" class="mn">1 所有这些都可以在多项式时间内完成 - 对于构建安全的加密原语没有好处。

On the other hand, the DLP in a finite field of prime order viewed as a group under multiplication (after throwing out the zero element) or in elliptic curve groups (more on those next week) is believed to be hard. That is, we do not yet know of any polynomial time algorithms for finding discrete logarithms in these groups. As a concrete example, suppose I ask you, "find the discrete logarithm to the base 3 of 5 in the multiplicative group of the integers modulo 7". This means find an integer <span id="MathJax-Span-185" class="mrow"><span id="MathJax-Span-186" class="mi">a such that <span id="MathJax-Span-188" class="mrow"><span id="MathJax-Span-189" class="msubsup"><span id="MathJax-Span-190" class="mn">3<span id="MathJax-Span-191" class="mi">a<span id="MathJax-Span-192" class="mo">&equiv;<span id="MathJax-Span-193" class="mn">5<span id="MathJax-Span-194" class="mspace"><span id="MathJax-Span-195" class="mo">(<span id="MathJax-Span-196" class="texatom"><span id="MathJax-Span-197" class="mrow"><span id="MathJax-Span-198" class="mi">m<span id="MathJax-Span-199" class="mi">o<span id="MathJax-Span-200" class="mi">d<span id="MathJax-Span-201" class="mspace"><span id="MathJax-Span-202" class="mn">7<span id="MathJax-Span-203" class="mo">). Now that we are in the multiplicative group, not the additive one and so we really do have to 'take logarithms' somehow, not just multiply by the inverse of 3. In this case, since 7 is fairly small, we can find the answer by just trying all the possibilities one at a time until we find a solution:
另一方面,在有限的素数阶域中,DLP被视为乘法组(抛出零元素后)或椭圆曲线组(下周将详细介绍)中的DLP被认为是困难的。也就是说,我们还不知道任何多项式时间算法可以在这些组中寻找离散对数。举个具体的例子,假设我问你,“在整数模 7 的乘法群中找到以 3 的 5 为底的离散对数”。这意味着找到一个整数, <span id="MathJax-Span-185" class="mrow"><span id="MathJax-Span-186" class="mi">a <span id="MathJax-Span-188" class="mrow"><span id="MathJax-Span-189" class="msubsup"><span id="MathJax-Span-190" class="mn">3<span id="MathJax-Span-191" class="mi">a<span id="MathJax-Span-192" class="mo">&equiv;<span id="MathJax-Span-193" class="mn">5<span id="MathJax-Span-194" class="mspace"><span id="MathJax-Span-195" class="mo">(<span id="MathJax-Span-196" class="texatom"><span id="MathJax-Span-197" class="mrow"><span id="MathJax-Span-198" class="mi">m<span id="MathJax-Span-199" class="mi">o<span id="MathJax-Span-200" class="mi">d<span id="MathJax-Span-201" class="mspace"><span id="MathJax-Span-202" class="mn">7<span id="MathJax-Span-203" class="mo">) 使得 .现在我们处于乘法组,而不是加法组,因此我们确实必须以某种方式“取对数”,而不仅仅是乘以 3 的倒数。在这种情况下,由于 7 相当小,我们可以通过一次尝试所有可能性来找到答案,直到我们找到解决方案:
  1. <span id="MathJax-Span-205" class="mrow"><span id="MathJax-Span-206" class="msubsup"><span id="MathJax-Span-207" class="mn">3<span id="MathJax-Span-208" class="mn">1<span id="MathJax-Span-209" class="mo">=<span id="MathJax-Span-210" class="mn">3<span id="MathJax-Span-211" class="mo">&equiv;̸<span id="MathJax-Span-212" class="mn">5<span id="MathJax-Span-213" class="mspace"><span id="MathJax-Span-214" class="mo">(<span id="MathJax-Span-215" class="texatom"><span id="MathJax-Span-216" class="mrow"><span id="MathJax-Span-217" class="mi">m<span id="MathJax-Span-218" class="mi">o<span id="MathJax-Span-219" class="mi">d<span id="MathJax-Span-220" class="mspace"><span id="MathJax-Span-221" class="mn">7<span id="MathJax-Span-222" class="mo">)
  2. <span id="MathJax-Span-224" class="mrow"><span id="MathJax-Span-225" class="msubsup"><span id="MathJax-Span-226" class="mn">3<span id="MathJax-Span-227" class="mn">2<span id="MathJax-Span-228" class="mo">=<span id="MathJax-Span-229" class="mn">9<span id="MathJax-Span-230" class="mo">&equiv;<span id="MathJax-Span-231" class="mn">2<span id="MathJax-Span-232" class="mo">&equiv;̸<span id="MathJax-Span-233" class="mn">5<span id="MathJax-Span-234" class="mspace"><span id="MathJax-Span-235" class="mo">(<span id="MathJax-Span-236" class="texatom"><span id="MathJax-Span-237" class="mrow"><span id="MathJax-Span-238" class="mi">m<span id="MathJax-Span-239" class="mi">o<span id="MathJax-Span-240" class="mi">d<span id="MathJax-Span-241" class="mspace"><span id="MathJax-Span-242" class="mn">7<span id="MathJax-Span-243" class="mo">)
  3. <span id="MathJax-Span-245" class="mrow"><span id="MathJax-Span-246" class="msubsup"><span id="MathJax-Span-247" class="mn">3<span id="MathJax-Span-248" class="mn">3<span id="MathJax-Span-249" class="mo">=<span id="MathJax-Span-250" class="mo">(<span id="MathJax-Span-251" class="msubsup"><span id="MathJax-Span-252" class="mn">3<span id="MathJax-Span-253" class="mn">2<span id="MathJax-Span-254" class="mo">)<span id="MathJax-Span-255" class="mo">&times;<span id="MathJax-Span-256" class="mn">3<span id="MathJax-Span-257" class="mo">&equiv;<span id="MathJax-Span-258" class="mn">2<span id="MathJax-Span-259" class="mo">&times;<span id="MathJax-Span-260" class="mn">3<span id="MathJax-Span-261" class="mo">=<span id="MathJax-Span-262" class="mn">6<span id="MathJax-Span-263" class="mo">&equiv;̸<span id="MathJax-Span-264" class="mn">5<span id="MathJax-Span-265" class="mspace"><span id="MathJax-Span-266" class="mo">(<span id="MathJax-Span-267" class="texatom"><span id="MathJax-Span-268" class="mrow"><span id="MathJax-Span-269" class="mi">m<span id="MathJax-Span-270" class="mi">o<span id="MathJax-Span-271" class="mi">d<span id="MathJax-Span-272" class="mspace"><span id="MathJax-Span-273" class="mn">7<span id="MathJax-Span-274" class="mo">)
  4. <span id="MathJax-Span-276" class="mrow"><span id="MathJax-Span-277" class="msubsup"><span id="MathJax-Span-278" class="mn">3<span id="MathJax-Span-279" class="mn">4<span id="MathJax-Span-280" class="mo">=<span id="MathJax-Span-281" class="mo">(<span id="MathJax-Span-282" class="msubsup"><span id="MathJax-Span-283" class="mn">3<span id="MathJax-Span-284" class="mn">3<span id="MathJax-Span-285" class="mo">)<span id="MathJax-Span-286" class="mo">&times;<span id="MathJax-Span-287" class="mn">3<span id="MathJax-Span-288" class="mo">&equiv;<span id="MathJax-Span-289" class="mn">6<span id="MathJax-Span-290" class="mo">&times;<span id="MathJax-Span-291" class="mn">3<span id="MathJax-Span-292" class="mo">=<span id="MathJax-Span-293" class="mn">18<span id="MathJax-Span-294" class="mo">&equiv;<span id="MathJax-Span-295" class="mn">4<span id="MathJax-Span-296" class="mo">&equiv;̸<span id="MathJax-Span-297" class="mn">5<span id="MathJax-Span-298" class="mspace"><span id="MathJax-Span-299" class="mo">(<span id="MathJax-Span-300" class="texatom"><span id="MathJax-Span-301" class="mrow"><span id="MathJax-Span-302" class="mi">m<span id="MathJax-Span-303" class="mi">o<span id="MathJax-Span-304" class="mi">d<span id="MathJax-Span-305" class="mspace"><span id="MathJax-Span-306" class="mn">7<span id="MathJax-Span-307" class="mo">)
  5. <span id="MathJax-Span-309" class="mrow"><span id="MathJax-Span-310" class="msubsup"><span id="MathJax-Span-311" class="mn">3<span id="MathJax-Span-312" class="mn">5<span id="MathJax-Span-313" class="mo">=<span id="MathJax-Span-314" class="mo">(<span id="MathJax-Span-315" class="msubsup"><span id="MathJax-Span-316" class="mn">3<span id="MathJax-Span-317" class="mn">4<span id="MathJax-Span-318" class="mo">)<span id="MathJax-Span-319" class="mo">&times;<span id="MathJax-Span-320" class="mn">3<span id="MathJax-Span-321" class="mo">&equiv;<span id="MathJax-Span-322" class="mn">4<span id="MathJax-Span-323" class="mo">&times;<span id="MathJax-Span-324" class="mn">3<span id="MathJax-Span-325" class="mo">=<span id="MathJax-Span-326" class="mn">12<span id="MathJax-Span-327" class="mo">&equiv;<span id="MathJax-Span-328" class="mn">5<span id="MathJax-Span-329" class="mspace"><span id="MathJax-Span-330" class="mo">(<span id="MathJax-Span-331" class="texatom"><span id="MathJax-Span-332" class="mrow"><span id="MathJax-Span-333" class="mi">m<span id="MathJax-Span-334" class="mi">o<span id="MathJax-Span-335" class="mi">d<span id="MathJax-Span-336" class="mspace"><span id="MathJax-Span-337" class="mn">7<span id="MathJax-Span-338" class="mo">)
so <span id="MathJax-Span-340" class="mrow"><span id="MathJax-Span-341" class="mi">a<span id="MathJax-Span-342" class="mo">=<span id="MathJax-Span-343" class="mn">5. The way we 'bounce around' the integers modulo 7 by repeatedly multiplying by the base 3 (getting 3, 2, 6, 4 and then 5) should give you some intuition as to why DLP seems hard in this setting. If our prime was much larger than 7, say thousands of bits long in binary, even a computer would take a very long time to solve DLP this way (though there are better, sub-exponential time algorithms and it is not proven that no polynomial time algorithm exists for solving DLP in this kind of group).
所以 <span id="MathJax-Span-340" class="mrow"><span id="MathJax-Span-341" class="mi">a<span id="MathJax-Span-342" class="mo">=<span id="MathJax-Span-343" class="mn">5 .我们通过反复乘以 3 为底(得到 3、2、6、4 和 5)来“反弹”整数模 7 的方式应该会让您直观地了解为什么 DLP 在这种情况下看起来很困难。如果我们的素数大于 7,比如说二进制的数千位长,即使是计算机也需要很长时间才能以这种方式求解 DLP(尽管有更好的次指数时间算法,并且没有证明不存在用于求解此类组中的 DLP 的多项式时间算法)。

The Computational Diffie-Hellman Problem (CDH)
计算 Diffie-Hellman 问题 (CDH)
A problem related to DLP is named after Whit Diffie and Martin Hellman who devised a way of two parties agreeing on a secret key over a public channel without revealing it:
一个与 DLP 相关的问题以 Whit Diffie 和 Martin Hellman 的名字命名,他们设计了一种方法,让双方在不透露的情况下通过公共频道就密钥达成一致:
  • Alice and Bob publicly agree on a cyclic group <span id="MathJax-Span-345" class="mrow"><span id="MathJax-Span-346" class="mi">G and generator <span id="MathJax-Span-348" class="mrow"><span id="MathJax-Span-349" class="mi">g. 
    Alice 和 Bob 公开同意循环群 <span id="MathJax-Span-345" class="mrow"><span id="MathJax-Span-346" class="mi">G 和生成器 <span id="MathJax-Span-348" class="mrow"><span id="MathJax-Span-349" class="mi">g 。
  • Alice chooses a random secret integer <span id="MathJax-Span-351" class="mrow"><span id="MathJax-Span-352" class="mi">a and Bob chooses a random secret integer <span id="MathJax-Span-354" class="mrow"><span id="MathJax-Span-355" class="mi">b. 
    Alice 选择一个随机秘密整数 <span id="MathJax-Span-351" class="mrow"><span id="MathJax-Span-352" class="mi">a ,Bob 选择一个随机秘密整数 <span id="MathJax-Span-354" class="mrow"><span id="MathJax-Span-355" class="mi">b 。
  • Alice computes <span id="MathJax-Span-357" class="mrow"><span id="MathJax-Span-358" class="msubsup"><span id="MathJax-Span-359" class="mi">g<span id="MathJax-Span-360" class="mi">a and publicly sends this to Bob. Bob computes <span id="MathJax-Span-362" class="mrow"><span id="MathJax-Span-363" class="msubsup"><span id="MathJax-Span-364" class="mi">g<span id="MathJax-Span-365" class="mi">b and publicly sends this to Alice. 
    Alice 计算 <span id="MathJax-Span-357" class="mrow"><span id="MathJax-Span-358" class="msubsup"><span id="MathJax-Span-359" class="mi">g<span id="MathJax-Span-360" class="mi">a 并公开将其发送给 Bob。Bob 计算 <span id="MathJax-Span-362" class="mrow"><span id="MathJax-Span-363" class="msubsup"><span id="MathJax-Span-364" class="mi">g<span id="MathJax-Span-365" class="mi">b 并公开将其发送给 Alice。
  • Alice and Bob both compute <span id="MathJax-Span-367" class="mrow"><span id="MathJax-Span-368" class="msubsup"><span id="MathJax-Span-369" class="mi">g<span id="MathJax-Span-370" class="texatom"><span id="MathJax-Span-371" class="mrow"><span id="MathJax-Span-372" class="mi">a<span id="MathJax-Span-373" class="mi">b<span id="MathJax-Span-374" class="mo">=<span id="MathJax-Span-375" class="mo">(<span id="MathJax-Span-376" class="msubsup"><span id="MathJax-Span-377" class="mi">g<span id="MathJax-Span-378" class="mi">a<span id="MathJax-Span-379" class="msubsup"><span id="MathJax-Span-380" class="mo">)<span id="MathJax-Span-381" class="mi">b<span id="MathJax-Span-382" class="mo">=<span id="MathJax-Span-383" class="mo">(<span id="MathJax-Span-384" class="msubsup"><span id="MathJax-Span-385" class="mi">g<span id="MathJax-Span-386" class="mi">b<span id="MathJax-Span-387" class="msubsup"><span id="MathJax-Span-388" class="mo">)<span id="MathJax-Span-389" class="mi">a by raising what they received from the other party to power of their own secret integer. 
    Alice 和 Bob 都 <span id="MathJax-Span-367" class="mrow"><span id="MathJax-Span-368" class="msubsup"><span id="MathJax-Span-369" class="mi">g<span id="MathJax-Span-370" class="texatom"><span id="MathJax-Span-371" class="mrow"><span id="MathJax-Span-372" class="mi">a<span id="MathJax-Span-373" class="mi">b<span id="MathJax-Span-374" class="mo">=<span id="MathJax-Span-375" class="mo">(<span id="MathJax-Span-376" class="msubsup"><span id="MathJax-Span-377" class="mi">g<span id="MathJax-Span-378" class="mi">a<span id="MathJax-Span-379" class="msubsup"><span id="MathJax-Span-380" class="mo">)<span id="MathJax-Span-381" class="mi">b<span id="MathJax-Span-382" class="mo">=<span id="MathJax-Span-383" class="mo">(<span id="MathJax-Span-384" class="msubsup"><span id="MathJax-Span-385" class="mi">g<span id="MathJax-Span-386" class="mi">b<span id="MathJax-Span-387" class="msubsup"><span id="MathJax-Span-388" class="mo">)<span id="MathJax-Span-389" class="mi">a 通过将他们从对方那里得到的东西提高到他们自己的秘密整数的幂来计算。
Now <span id="MathJax-Span-391" class="mrow"><span id="MathJax-Span-392" class="msubsup"><span id="MathJax-Span-393" class="mi">g<span id="MathJax-Span-394" class="texatom"><span id="MathJax-Span-395" class="mrow"><span id="MathJax-Span-396" class="mi">a<span id="MathJax-Span-397" class="mi">b is a secret key that can be used for symmetric encryption and decryption by Alice and Bob. But someone listening in to the exchange has in their possession <span id="MathJax-Span-399" class="mrow"><span id="MathJax-Span-400" class="mi">G, <span id="MathJax-Span-402" class="mrow"><span id="MathJax-Span-403" class="mi">g, <span id="MathJax-Span-405" class="mrow"><span id="MathJax-Span-406" class="msubsup"><span id="MathJax-Span-407" class="mi">g<span id="MathJax-Span-408" class="mi">a and <span id="MathJax-Span-410" class="mrow"><span id="MathJax-Span-411" class="msubsup"><span id="MathJax-Span-412" class="mi">g<span id="MathJax-Span-413" class="mi">b. So secrecy of the key <span id="MathJax-Span-415" class="mrow"><span id="MathJax-Span-416" class="msubsup"><span id="MathJax-Span-417" class="mi">g<span id="MathJax-Span-418" class="texatom"><span id="MathJax-Span-419" class="mrow"><span id="MathJax-Span-420" class="mi">a<span id="MathJax-Span-421" class="mi">b depends on this problem, called the Computational Diffie-Hellman Problem (CDH):
现在 <span id="MathJax-Span-391" class="mrow"><span id="MathJax-Span-392" class="msubsup"><span id="MathJax-Span-393" class="mi">g<span id="MathJax-Span-394" class="texatom"><span id="MathJax-Span-395" class="mrow"><span id="MathJax-Span-396" class="mi">a<span id="MathJax-Span-397" class="mi">b 是一个密钥,可用于 Alice 和 Bob 的对称加密和解密。但是有人在听交流时,他们拥有 <span id="MathJax-Span-399" class="mrow"><span id="MathJax-Span-400" class="mi">G 、 <span id="MathJax-Span-402" class="mrow"><span id="MathJax-Span-403" class="mi">g <span id="MathJax-Span-405" class="mrow"><span id="MathJax-Span-406" class="msubsup"><span id="MathJax-Span-407" class="mi">g<span id="MathJax-Span-408" class="mi">a 和 <span id="MathJax-Span-410" class="mrow"><span id="MathJax-Span-411" class="msubsup"><span id="MathJax-Span-412" class="mi">g<span id="MathJax-Span-413" class="mi">b 。因此,密钥 <span id="MathJax-Span-415" class="mrow"><span id="MathJax-Span-416" class="msubsup"><span id="MathJax-Span-417" class="mi">g<span id="MathJax-Span-418" class="texatom"><span id="MathJax-Span-419" class="mrow"><span id="MathJax-Span-420" class="mi">a<span id="MathJax-Span-421" class="mi">b 的保密性取决于这个问题,称为计算 Diffie-Hellman 问题 (CDH):

Given <span id="MathJax-Span-423" class="mrow"><span id="MathJax-Span-424" class="mi">G, <span id="MathJax-Span-426" class="mrow"><span id="MathJax-Span-427" class="mi">g, <span id="MathJax-Span-429" class="mrow"><span id="MathJax-Span-430" class="msubsup"><span id="MathJax-Span-431" class="mi">g<span id="MathJax-Span-432" class="mi">a and <span id="MathJax-Span-434" class="mrow"><span id="MathJax-Span-435" class="msubsup"><span id="MathJax-Span-436" class="mi">g<span id="MathJax-Span-437" class="mi">b, find <span id="MathJax-Span-439" class="mrow"><span id="MathJax-Span-440" class="msubsup"><span id="MathJax-Span-441" class="mi">g<span id="MathJax-Span-442" class="texatom"><span id="MathJax-Span-443" class="mrow"><span id="MathJax-Span-444" class="mi">a<span id="MathJax-Span-445" class="mi">b.
给定 <span id="MathJax-Span-423" class="mrow"><span id="MathJax-Span-424" class="mi">G 、 <span id="MathJax-Span-426" class="mrow"><span id="MathJax-Span-427" class="mi">g <span id="MathJax-Span-429" class="mrow"><span id="MathJax-Span-430" class="msubsup"><span id="MathJax-Span-431" class="mi">g<span id="MathJax-Span-432" class="mi">a 和 <span id="MathJax-Span-434" class="mrow"><span id="MathJax-Span-435" class="msubsup"><span id="MathJax-Span-436" class="mi">g<span id="MathJax-Span-437" class="mi">b ,找到 <span id="MathJax-Span-439" class="mrow"><span id="MathJax-Span-440" class="msubsup"><span id="MathJax-Span-441" class="mi">g<span id="MathJax-Span-442" class="texatom"><span id="MathJax-Span-443" class="mrow"><span id="MathJax-Span-444" class="mi">a<span id="MathJax-Span-445" class="mi">b 。
CDH is clearly related to DLP, but which is harder? Well, if I can solve DLP then I can efficiently compute the secret integer <span id="MathJax-Span-447" class="mrow"><span id="MathJax-Span-448" class="mi">a from <span id="MathJax-Span-450" class="mrow"><span id="MathJax-Span-451" class="msubsup"><span id="MathJax-Span-452" class="mi">g<span id="MathJax-Span-453" class="mi">a and then find <span id="MathJax-Span-455" class="mrow"><span id="MathJax-Span-456" class="msubsup"><span id="MathJax-Span-457" class="mi">g<span id="MathJax-Span-458" class="texatom"><span id="MathJax-Span-459" class="mrow"><span id="MathJax-Span-460" class="mi">a<span id="MathJax-Span-461" class="mi">b by raising <span id="MathJax-Span-463" class="mrow"><span id="MathJax-Span-464" class="msubsup"><span id="MathJax-Span-465" class="mi">g<span id="MathJax-Span-466" class="texatom"><span id="MathJax-Span-467" class="mrow"><span id="MathJax-Span-468" class="mi">b to the power <span id="MathJax-Span-470" class="mrow"><span id="MathJax-Span-471" class="mi">a in the same way Alice does, therefore solving CDH. So anyone who can solve DLP can also solve CDH, meaning DLP is at least as hard as CDH.
CDH 显然与 DLP 有关,但哪个更难?好吧,如果我能解决 DLP,那么我就可以有效地 <span id="MathJax-Span-447" class="mrow"><span id="MathJax-Span-448" class="mi">a 计算秘密整数, <span id="MathJax-Span-450" class="mrow"><span id="MathJax-Span-451" class="msubsup"><span id="MathJax-Span-452" class="mi">g<span id="MathJax-Span-453" class="mi">a 然后以与 Alice 相同的方式通过提高到 <span id="MathJax-Span-463" class="mrow"><span id="MathJax-Span-464" class="msubsup"><span id="MathJax-Span-465" class="mi">g<span id="MathJax-Span-466" class="texatom"><span id="MathJax-Span-467" class="mrow"><span id="MathJax-Span-468" class="mi">b 幂 <span id="MathJax-Span-470" class="mrow"><span id="MathJax-Span-471" class="mi">a 来找到 <span id="MathJax-Span-455" class="mrow"><span id="MathJax-Span-456" class="msubsup"><span id="MathJax-Span-457" class="mi">g<span id="MathJax-Span-458" class="texatom"><span id="MathJax-Span-459" class="mrow"><span id="MathJax-Span-460" class="mi">a<span id="MathJax-Span-461" class="mi">b ,从而解决 CDH。所以任何能解决DLP的人也可以解决CDH,这意味着DLP至少和CDH一样难。

The Decisional Diffie-Hellman Problem (DDH)
决策 Diffie-Hellman 问题 (DDH)
This is another 'discrete logarithm' style problem used to prove indistinguishability properties. Say Alice and Bob perform the Diffie-Hellman key agreement protocol as above so that <span id="MathJax-Span-473" class="mrow"><span id="MathJax-Span-474" class="mi">G, <span id="MathJax-Span-476" class="mrow"><span id="MathJax-Span-477" class="mi">g, <span id="MathJax-Span-479" class="mrow"><span id="MathJax-Span-480" class="msubsup"><span id="MathJax-Span-481" class="mi">g<span id="MathJax-Span-482" class="mi">a and <span id="MathJax-Span-484" class="mrow"><span id="MathJax-Span-485" class="msubsup"><span id="MathJax-Span-486" class="mi">g<span id="MathJax-Span-487" class="mi">b are all public and <span id="MathJax-Span-489" class="mrow"><span id="MathJax-Span-490" class="msubsup"><span id="MathJax-Span-491" class="mi">g<span id="MathJax-Span-492" class="texatom"><span id="MathJax-Span-493" class="mrow"><span id="MathJax-Span-494" class="mi">a<span id="MathJax-Span-495" class="mi">b is the shared secret key. Intuitively, the Decisional Diffie-Hellman Problem (DDH) asks whether an adversary can distinguish Alice and Bob's secret key <span id="MathJax-Span-497" class="mrow"><span id="MathJax-Span-498" class="msubsup"><span id="MathJax-Span-499" class="mi">g<span id="MathJax-Span-500" class="texatom"><span id="MathJax-Span-501" class="mrow"><span id="MathJax-Span-502" class="mi">a<span id="MathJax-Span-503" class="mi">b from a random group element of <span id="MathJax-Span-505" class="mrow"><span id="MathJax-Span-506" class="mi">G. Formally:
这是另一个“离散对数”风格的问题,用于证明不可区分性。假设 Alice 和 Bob 执行如上所述的 Diffie-Hellman 密钥协议,因此 <span id="MathJax-Span-473" class="mrow"><span id="MathJax-Span-474" class="mi">G 、 <span id="MathJax-Span-476" class="mrow"><span id="MathJax-Span-477" class="mi">g <span id="MathJax-Span-479" class="mrow"><span id="MathJax-Span-480" class="msubsup"><span id="MathJax-Span-481" class="mi">g<span id="MathJax-Span-482" class="mi">a 和 <span id="MathJax-Span-484" class="mrow"><span id="MathJax-Span-485" class="msubsup"><span id="MathJax-Span-486" class="mi">g<span id="MathJax-Span-487" class="mi">b 都是公共的,并且是 <span id="MathJax-Span-489" class="mrow"><span id="MathJax-Span-490" class="msubsup"><span id="MathJax-Span-491" class="mi">g<span id="MathJax-Span-492" class="texatom"><span id="MathJax-Span-493" class="mrow"><span id="MathJax-Span-494" class="mi">a<span id="MathJax-Span-495" class="mi">b 共享的密钥。直观地说,决策 Diffie-Hellman 问题 (DDH) 询问对手是否可以将 Alice 和 Bob 的密钥 <span id="MathJax-Span-497" class="mrow"><span id="MathJax-Span-498" class="msubsup"><span id="MathJax-Span-499" class="mi">g<span id="MathJax-Span-500" class="texatom"><span id="MathJax-Span-501" class="mrow"><span id="MathJax-Span-502" class="mi">a<span id="MathJax-Span-503" class="mi">b 与随机 <span id="MathJax-Span-505" class="mrow"><span id="MathJax-Span-506" class="mi">G 组元素区分开来。正式:
  Given  <span id="MathJax-Span-508" class="mrow"><span id="MathJax-Span-509" class="mi">G, <span id="MathJax-Span-511" class="mrow"><span id="MathJax-Span-512" class="mi">g, <span id="MathJax-Span-514" class="mrow"><span id="MathJax-Span-515" class="msubsup"><span id="MathJax-Span-516" class="mi">g<span id="MathJax-Span-517" class="mi">a, <span id="MathJax-Span-519" class="mrow"><span id="MathJax-Span-520" class="msubsup"><span id="MathJax-Span-521" class="mi">g<span id="MathJax-Span-522" class="mi">b and <span id="MathJax-Span-524" class="mrow"><span id="MathJax-Span-525" class="msubsup"><span id="MathJax-Span-526" class="mi">T<span id="MathJax-Span-527" class="mi">x such that <span id="MathJax-Span-529" class="mrow"><span id="MathJax-Span-530" class="msubsup"><span id="MathJax-Span-531" class="mi">T<span id="MathJax-Span-532" class="mn">0 is a random element of <span id="MathJax-Span-534" class="mrow"><span id="MathJax-Span-535" class="mi">G, <span id="MathJax-Span-537" class="mrow"><span id="MathJax-Span-538" class="msubsup"><span id="MathJax-Span-539" class="mi">T<span id="MathJax-Span-540" class="mn">1<span id="MathJax-Span-541" class="mo">=<span id="MathJax-Span-542" class="msubsup"><span id="MathJax-Span-543" class="mi">g<span id="MathJax-Span-544" class="texatom"><span id="MathJax-Span-545" class="mrow"><span id="MathJax-Span-546" class="mi">a<span id="MathJax-Span-547" class="mi">b and <span id="MathJax-Span-549" class="mrow"><span id="MathJax-Span-550" class="mi">x is chosen uniformly at random from <span id="MathJax-Span-552" class="mrow"><span id="MathJax-Span-553" class="mo">{<span id="MathJax-Span-554" class="mn">0<span id="MathJax-Span-555" class="mo">,<span id="MathJax-Span-556" class="mn">1<span id="MathJax-Span-557" class="mo">}, find <span id="MathJax-Span-559" class="mrow"><span id="MathJax-Span-560" class="mi">x.
给定 <span id="MathJax-Span-508" class="mrow"><span id="MathJax-Span-509" class="mi">G 、 <span id="MathJax-Span-511" class="mrow"><span id="MathJax-Span-512" class="mi">g 、 <span id="MathJax-Span-514" class="mrow"><span id="MathJax-Span-515" class="msubsup"><span id="MathJax-Span-516" class="mi">g<span id="MathJax-Span-517" class="mi">a <span id="MathJax-Span-519" class="mrow"><span id="MathJax-Span-520" class="msubsup"><span id="MathJax-Span-521" class="mi">g<span id="MathJax-Span-522" class="mi">b 等 <span id="MathJax-Span-524" class="mrow"><span id="MathJax-Span-525" class="msubsup"><span id="MathJax-Span-526" class="mi">T<span id="MathJax-Span-527" class="mi">x <span id="MathJax-Span-529" class="mrow"><span id="MathJax-Span-530" class="msubsup"><span id="MathJax-Span-531" class="mi">T<span id="MathJax-Span-532" class="mn">0 是 的 <span id="MathJax-Span-534" class="mrow"><span id="MathJax-Span-535" class="mi">G 随机元素, <span id="MathJax-Span-537" class="mrow"><span id="MathJax-Span-538" class="msubsup"><span id="MathJax-Span-539" class="mi">T<span id="MathJax-Span-540" class="mn">1<span id="MathJax-Span-541" class="mo">=<span id="MathJax-Span-542" class="msubsup"><span id="MathJax-Span-543" class="mi">g<span id="MathJax-Span-544" class="texatom"><span id="MathJax-Span-545" class="mrow"><span id="MathJax-Span-546" class="mi">a<span id="MathJax-Span-547" class="mi">b 并且 <span id="MathJax-Span-549" class="mrow"><span id="MathJax-Span-550" class="mi">x 从 <span id="MathJax-Span-552" class="mrow"><span id="MathJax-Span-553" class="mo">{<span id="MathJax-Span-554" class="mn">0<span id="MathJax-Span-555" class="mo">,<span id="MathJax-Span-556" class="mn">1<span id="MathJax-Span-557" class="mo">} 中随机均匀选择,找到 <span id="MathJax-Span-559" class="mrow"><span id="MathJax-Span-560" class="mi">x 。

If an adversary can solve DDH (i.e. output the correct value of <span id="MathJax-Span-562" class="mrow"><span id="MathJax-Span-563" class="mi">x with probability greater than <span id="MathJax-Span-565" class="mrow"><span id="MathJax-Span-566" class="mfrac"><span id="MathJax-Span-567" class="mn">1<span id="MathJax-Span-568" class="mn">2), then <span id="MathJax-Span-570" class="mrow"><span id="MathJax-Span-571" class="mi">G, <span id="MathJax-Span-573" class="mrow"><span id="MathJax-Span-574" class="mi">g, <span id="MathJax-Span-576" class="mrow"><span id="MathJax-Span-577" class="msubsup"><span id="MathJax-Span-578" class="mi">g<span id="MathJax-Span-579" class="mi">a and <span id="MathJax-Span-581" class="mrow"><span id="MathJax-Span-582" class="msubsup"><span id="MathJax-Span-583" class="mi">g<span id="MathJax-Span-584" class="mi">b must leak some information about the secret key <span id="MathJax-Span-586" class="mrow"><span id="MathJax-Span-587" class="msubsup"><span id="MathJax-Span-588" class="mi">g<span id="MathJax-Span-589" class="texatom"><span id="MathJax-Span-590" class="mrow"><span id="MathJax-Span-591" class="mi">a<span id="MathJax-Span-592" class="mi">b that distinguishes it from a random group element, even if it can't be computed directly. What should be clear is that if the adversary can solve the computational Diffie-Hellman problem, then they can actually compute <span id="MathJax-Span-594" class="mrow"><span id="MathJax-Span-595" class="msubsup"><span id="MathJax-Span-596" class="mi">g<span id="MathJax-Span-597" class="texatom"><span id="MathJax-Span-598" class="mrow"><span id="MathJax-Span-599" class="mi">a<span id="MathJax-Span-600" class="mi">b and hence trivially distinguish this element from a random group element, thereby solving the decisional Diffie-Hellman problem. So anyone who can solve CDH can also solve DDH, meaning CDH is at least as hard as DDH.
如果攻击者可以求解 DDH(即输出概率大于 的正确值 <span id="MathJax-Span-562" class="mrow"><span id="MathJax-Span-563" class="mi">x ),那么 <span id="MathJax-Span-570" class="mrow"><span id="MathJax-Span-571" class="mi">G , <span id="MathJax-Span-573" class="mrow"><span id="MathJax-Span-574" class="mi">g <span id="MathJax-Span-576" class="mrow"><span id="MathJax-Span-577" class="msubsup"><span id="MathJax-Span-578" class="mi">g<span id="MathJax-Span-579" class="mi">a , 并且 <span id="MathJax-Span-581" class="mrow"><span id="MathJax-Span-582" class="msubsup"><span id="MathJax-Span-583" class="mi">g<span id="MathJax-Span-584" class="mi">b 必须泄露一些关于将其与随机组元素区分开来的密钥 <span id="MathJax-Span-586" class="mrow"><span id="MathJax-Span-587" class="msubsup"><span id="MathJax-Span-588" class="mi">g<span id="MathJax-Span-589" class="texatom"><span id="MathJax-Span-590" class="mrow"><span id="MathJax-Span-591" class="mi">a<span id="MathJax-Span-592" class="mi">b 的信息,即使它不能直接计算。 <span id="MathJax-Span-565" class="mrow"><span id="MathJax-Span-566" class="mfrac"><span id="MathJax-Span-567" class="mn">1<span id="MathJax-Span-568" class="mn">2 应该清楚的是,如果对手能够解决计算的 Diffie-Hellman 问题,那么他们实际上可以计算 <span id="MathJax-Span-594" class="mrow"><span id="MathJax-Span-595" class="msubsup"><span id="MathJax-Span-596" class="mi">g<span id="MathJax-Span-597" class="texatom"><span id="MathJax-Span-598" class="mrow"><span id="MathJax-Span-599" class="mi">a<span id="MathJax-Span-600" class="mi">b 并因此轻松地将该元素与随机群元素区分开来,从而解决决策 Diffie-Hellman 问题。所以任何能解决 CDH 的人也可以解决 DDH,这意味着 CDH 至少和 DDH 一样难。

These are the three problems we wanted to talk about and we've given a sketch proof of their ordering in terms of hardness: DLP is the most hard, then CDH and then DDH. As we've seen, DLP is sometimes easy, making CDH and DDH easy. So the choice of group <span id="MathJax-Span-602" class="mrow"><span id="MathJax-Span-603" class="mi">G and generator <span id="MathJax-Span-605" class="mrow"><span id="MathJax-Span-606" class="mi">g is very important when doing cryptography!
这是我们想要讨论的三个问题,我们已经给出了它们在硬度方面的排序的草图证明:DLP 是最硬的,然后是 CDH,然后是 DDH。正如我们所看到的,DLP 有时很容易,使 CDH 和 DDH 变得容易。所以在做密码学的时候,组 <span id="MathJax-Span-602" class="mrow"><span id="MathJax-Span-603" class="mi">G 和生成器 <span id="MathJax-Span-605" class="mrow"><span id="MathJax-Span-606" class="mi">g 的选择是非常重要的!

标签:11,What,CDH,Alice,DDH,ga,gab,DLP
From: https://www.cnblogs.com/3cH0-Nu1L/p/18104695

相关文章

  • 52 Things: Number 10: What is the difference between the RSA and strong-RSA prob
    52Things:Number10:WhatisthedifferencebetweentheRSAandstrong-RSAproblem?52件事:数字10:RSA和强RSA问题有什么区别?Thisisthelatestinaseriesofblogpoststoaddressthelistof'52ThingsEveryPhDStudentShouldKnowToDoCryptography......
  • 算法笔记0411
    1.在C++中,set是一种关联容器,用于存储已排序的键值对,其中每个键都是唯一的。在上面的代码片段中,set<int>s;声明了一个整数类型的set,命名为s,它将自动按照元素值进行排序。set<int>::iteratorit;声明了一个名为it的迭代器,用于遍历set中的元素。迭代器是用于访问容器元素的通用......
  • Adobe Reader XI 11.0.23 简体中文版
    下载地址:AdobeReaderXI11.0.00简体中文版http://ardownload.adobe.com/pub/adobe/reader/win/11.x/11.0.00/zh_CN/AdbeRdr11000_zh_CN.exeAdobeReaderXI11.0.23补丁http://ardownload.adobe.com/pub/adobe/reader/win/11.x/11.0.23/misc/AdbeRdrUpd11023.msp注意:先请安......
  • win11 解锁多用户同时登录
    准备工具:1.RDP Wrapper download如果右侧的不是fullysupported,而是红色的notsupported。【开始】-【运行】-【services.msc】找到下面的服务,停止掉 同步修改组策略设置 直接安装,并修改组策略【计算机配置】-【管理模板】-【Windows组件】-【远程桌面服务】-【远程......
  • 算法模板 v1.12.2.20240411
    算法模板v1.1.1.20240115:之前历史版本已不可寻,创建第一份算法模板。v1.2.1.20240116:删除“编译”-“手动开栈”;删除“编译”-“手动开O优化”;修改“编译”-“CF模板”;删除“读写”;删除“图论”-“欧拉图”-“混合图”;删除“图论”-“可达性统计”;删除“数据类型”-“高精类”。......
  • Windows11系统Windows.UI.Cred.dll文件丢失问题
    其实很多用户玩单机游戏或者安装软件的时候就出现过这种问题,如果是新手第一时间会认为是软件或游戏出错了,其实并不是这样,其主要原因就是你电脑系统的该dll文件丢失了或没有安装一些系统软件平台所需要的动态链接库,这时你可以下载这个Windows.UI.Cred.dll文件(挑选合适的版本文......
  • Windows11系统Windows.UI.Search.dll文件丢失问题
    其实很多用户玩单机游戏或者安装软件的时候就出现过这种问题,如果是新手第一时间会认为是软件或游戏出错了,其实并不是这样,其主要原因就是你电脑系统的该dll文件丢失了或没有安装一些系统软件平台所需要的动态链接库,这时你可以下载这个Windows.UI.Search.dll文件(挑选合适的版本......
  • 2024.4.11力扣每日一题——互质树
    2024.4.11题目来源我的题解方法一深度优先遍历+回溯+存储父节点方法二官方深度优先遍历题目来源力扣每日一题;题序:1766我的题解方法一深度优先遍历+回溯+存储父节点使用一个List存储深度优先遍历过程中的父节点,然后从List的右侧开始遍历,直到与当前节点互质......
  • 升级到windows 11后无法连接公司的WIFI
    电脑升级到win11后,就无法连接到公司的域WIFI了。其他输密码的WIFI都是正常的,包括手机热点的WIFI都可以正常连接就是无法连接到公司的加域的WIFI。重新加域,重新安装驱动,都试过了,还是不行。网上到处找解决方案。终于找到一个靠谱的问题定位到:CredentialGuard原来从Windows......
  • 【题解】CF311E Biologist题解
    CF311EBiologist题解非常好的一道最小割。思路首先看到每一个位置又会有\(01\)两种情况,然后要满足一些要求,求最大收益,考虑类似于P4313文理分科和P1361小M的作物这种集合划分的建图方法,也就是要用最小割求解。由于我们要求的是最大收益,所以我们要先明确要最小化什么,......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99