The basic hard problem in the setting of cyclic groups is the discrete log problem.

The computational hardness of all other problems is contingent upon the hardness of the discrete log problem. In forming estimates of key sizes, the work in [130]

considers the best known algorithm for solving discrete log problem to also be the best known algorithm for solving other problems. The discrete log problem in a cyclic group (written multiplicatively) is as follows.

Discrete Log (DL).

Instance.A cyclic grouphgiof order p and an element h∈ hgi. Task.Compute a∈ZZpsuch that h=g^a.

We next define another well-known basic computationally hard problem for a cyclic group.

Computational Diffie-Hellman (CDH).

Instance. A cyclic grouphgiof order p and a tuple(g,g^a,g^b)where a and b are uniform random elements ofZZp.

Task.Compute g^ab.

In other words, an algorithm (or an adversary)A for solving the CDH problem takes as input a tuple(g,g^a,g^b)and has to output g^ab. The advantage ofA in solving the CDH problem is defined as follows.

Adv^CDH(A) =Prh

A(g,g^a,g^b)⇒g^abi

The CDH problem inhgiis said to be(ε,t)-hard if for any adversaryA running in time at most t,Adv^CDH(A)≤ε. This problem has a decision version.

Decisional Diffie-Hellman (DDH).

Instance.A cyclic grouphgiof order p and a tuple(g,g^a,g^b,g^c)for independent and uniform random a and b fromZZp.

Task.Determine whether c=abor whether c is a uniform random element ofZZp. An algorithm (or an adversary)A for solving the DDH problem takes as input a tuple (g,g^a,g^b,g^c)and returns a bit. The event that A returns 1 is denoted by A(g,g^a,g^b,g^c)⇒1. The advantage ofA in solving DDH is defined as follows.

Adv^DDH(A) =Prh

A(g,g^a,g^b,g^ab)⇒1i

−Prh

A(g,g^a,g^b,g^c)⇒1i. As in the case of CDH, the DDH problem inhgiis said to be(ε,t)-hard if for any adversaryA running in time at most t,Adv^DDH(A)≤ε.

We next turn our attention to the pairing setting and as noted in the previous section focus on the case of symmetric pairing only. Extensions to the asymmetric settings have been proposed in the literature and for a more detailed discussion on the computationally hard problems in the pairing setting the reader is referred to [47].

So far the general setting of a bilinear map was denoted as e : G1×G₂→G_T. For the symmetric or Type 1 pairing we set G=G1=G2and use(p,G,G,G_T,e)to denote this setting. Let G=hPiand GT=he(P,P)i. In the following we will assume that (P,G,G,Gt,e)along with the respective generators of G and GT are publicly known and may not explicitly mention that while defining a problem instance.

The basic hard problem in the setting of bilinear maps is the Bilinear Diffie- Hellman problem which was first introduced by Boneh and Franklin in [39]. We define both the computational and decisional version of this problem.

Bilinear Diffie-Hellman (BDH).

Instance.A tuple(P,aP,bP,cP)where a,band c are uniform random elements of ZZp.

Task.Compute e(P,P)^abc.

Just like the case of CDH problem discussed above, the advantage ofA in solv- ing the BDH problem is defined as follows.

Adv^BDH(A) =Prh

A(P,aP,bP,cP)⇒e(P,P)^abci

The BDH problem inhgiis said to be(ε,t)-hard if for any adversaryA running in time at most t,Adv^BDH(A)≤ε.

Decisional Bilinear Diffie-Hellman (DBDH).

Instance.(P,aP,bP,cP,Z)where G=hPi, a,b,care uniform random elements of ZZ_pand Z∈G_T.

Task.Determine whether Z=e(P,P)^abcor whether Z is a random element of GT. An algorithmA for solving the DBDH problem takes a tuple(P,aP,bP,cP,Z)as input and returns a bit. The event thatA returns 1 is denoted byA(P,aP,bP,cP,Z)⇒ 1. The advantage ofA in solving DBDH is defined as follows.

Adv^DBDH(A)

=|Prh

A(P,aP,bP,cP,Z)⇒1|Z=e(P,P)^abci

−Pr[A(P,aP,bP,cP,Z)⇒1|Zis random]|.

The DBDH problem in(p,G,G,G_T,e)is said to be(ε,t)-hard if for any adver- saryA running in time at most t,Adv^DBDH(A)≤ε.

Below we consider several other problems. In each case, the advantage of an adversary can be formalised in the manner of BDH and the DBDH problems. To avoid repetition, we do not explicitly define these advantages.

As mentioned earlier if(p,G,G,G_T,e)is a Type-I pairing setting, then the DDH problem in G becomes easy. Given(P,aP,bP,cP)∈G⁴, one simply checks whether

e(P,cP)=^? e(aP,bP). But, this does not imply that the CDH problem in G is easy.

In fact, there is no known way to solve the CDH problem in G using the bilinear map e. Groups for which the DDH problem is easy but CDH is hard are called gap Diffie-Hellman groups and there is a corresponding gap Diffie-Hellman problem

(GDH). Informally speaking the problem states the the CDH problem is hard even if the DDH problem is easy.

The next problem was originally stated for a single cyclic group [37]. In the setting of Type 1 pairings this is the group G.

Decision Linear (DLIN).

Instance.A cyclic group G=hPiand a tuple(P,aP,bP,acP,bdP,Q).

Task.Determine whether(c+d)P=Qor whether Q is a uniform random element of G which is independent of the other given elements.

The problems mentioned so far are static in the sense that the instances consist of a fixed number of elements of G. Instances of non-static problems can have a variable number of elements of G. The actual number is determined by a parameter denoted below by either h or q.

Bilinear Diffie-Hellman Exponent (BDHE).

Instance.A tuple(P,aP,a²P, . . . ,a^h−1P,a^h+1P, . . . ,a^2hP,Q)where G=hPi, Q is a random element of G and a is a random element ofZZ_p.

Task.Compute e(P,Q)^ah.

Decisional Bilinear Diffie-Hellman Exponent (DBDHE).

Instance.A tuple(P,aP,a²P, . . . ,a^h−1P,a^h+1P, . . . ,a^2hP,Q,Z)with Q a random ele- ment of G, a a random element ofZZpand Z∈G_T.

Task.Determine whether Z=e(P,Q)^ah or whether Z is a uniform random element of GT which is independent of the other elements.

Bilinear Diffie-Hellman inversion (BDHI).

Instance.A tuple(P1, . . . ,P_h)where Pi=aⁱPfor some random a∈ZZp. Task.Compute e(P,P)^1/a.

Decisional Bilinear Diffie-Hellman inversion (DBDHI).

Instance.A tuple(P₁, . . . ,P_h,Z)where Pi=aⁱPfor some random a∈ZZpand Z∈ G_T.

Task.Determine whether Z equals e(P,P)^1/a or whether Z is a uniform random element of GT which is independent of a.

Weak Decisional Bilinear Diffie-Hellman Inversion. There are two versions of this problem.

wDBDHI.

Instance.A tuple(Q,P₁, . . . ,Ph,Z)where Pi=aⁱPfor some random a∈ZZp, Q is a random element of G and Z∈G_T.

Task. Determine whether Z equals e(P,Q)^1/a or whether Z is a uniform random element of GT which is independent of a.

wDBDHI^∗.

Instance.A tuple(Q,P₁, . . . ,P_h,Z)where Pi=aⁱPfor some random a∈ZZ_p, Q is a random element of G and Z∈G_T.

Task.Determine whether Z equals e(P,Q)^ah+1 or whether Z is a uniform random element of GT which is independent of a.

It is possible to define the computational versions of these problems in the stan- dard manner. The computational versions can be shown to be equivalent under a linear-time reduction and further an algorithm for either of these two computational problems gives an algorithm for the computational version of the BDHI problem with a tight reduction. See [35] for the details.

Truncated Decisional Augmented Bilinear Diffie-Hellman Exponent. In a man- ner similar to the BDHE, one defines the related q-ABDHE problem, where ‘A’

stands for ‘augmented’. An instance is a tuple

(Q,α^q+2P′,P,α^P,α^2P, . . . ,α^qP,α^q+2P, . . . ,α^2qP)

and the task is again to compute e(P,Q)^αq+1. A truncated version has instance (Q,α^q+2Q,P,αP,α²P, . . . ,α^qP)

and the task is to compute e(P,Q)^αq+1 as before. Finally, Gentry [91] considers the decision version of this problem where the instance is

(Q,α^q+2Q,P,α^P,α^2P, . . . ,α^qP,Z)

and the task is to determine whether Z =e(P,Q)^αq+1 or whether Z is a uniform random element of GT.

Pairings over composite order groups. The pairing setting is given by a tuple (p,G₁,G₂,G_T,e)where for Type-1 pairings, G1=G₂. The p here is a prime number and is the common order of the three groups G1,G₂and GT. It is also possible to work in the setting where this common order is a composite number n which is a product of two (or more) “safe” primes [43], i.e., n=p₁p₂. The instance contains only n and the factors of n are hidden. (For some applications, the factors may be part of the problem instance.) Composite order pairings have typically been suggested for Type-1 setting, i.e., G1=G2=G. The basic computationally hard problem in the setting of composite order pairings is the following. Given an element Q∈G of order n and an element R∈Gof order p1, it is required to determine whether another element Z∈Gis of order n or of order p1.

A number of schemes have been proposed whose security relies on pairings over composite order groups. Recently, Freeman [82] showed how to convert many of these to schemes which can be based on pairing over prime order groups. Pursuing this further promises to be an interesting line of research.

Generic group model. This is an abstract model of computation over a group which was introduced in [141, 158]. In this model, the group operation is abstracted as an oracle query to a black box. The two operands are provided as the query input

and the result of applying the group operation to the operands is provided as output of the query. This abstracts away the algebraic structure of the groups. More specif- ically, the actual method by which the result is computed is not available externally.

The generic group model is useful for providing lower bounds on the amount of effort needed to solve certain computational problems. Such lower bounds on the number of group operations needed to solve the discrete log problem were proved in [158]. Generic groups were introduced in the setting of pairings in [34], where it was used to validate an assumption called the strong Diffie-Hellman assumption.

Since then, the generic group model has been considered whenever a new computa- tional assumption has been introduced. The idea is to show that the new assumption is valid if one does not consider the internal algebraic structure of the group.

On the other hand, since the internal algebraic structure of the group is ignored, it can be argued that the generic group model is an abstraction which is far away from reality. Any reasonable algorithm for solving a computational problem in a particular group will most certainly try to exploit the inherent algebraic structure of the underlying groups. So, the assumption that the internal structure is not available to the algorithm is an impractical assumption. Consequently, one should consider lower bounds proved in the generic group model to be only a tentative indication of the computational hardness of the concerned problem. By no means can such a proof be considered to have actually established such hardness.