1

Choose randomly $P\in G_1, (s,a \in Z_q)$.

let the attackers know $a,P$ and keep $s$ as secret. Also the following is given. $$sP,(a+s)^{-1}P$$

Individually,

From $sP$, trying to reveal ($s$) will be discrete logarithm problem.

However, I don't know (computational assumption) how to prove $s$ value cannot be revealed from $(a+s)^{-1}P$.

Moreover, are there any computation assumption to prove the secrecy of $s$ value from both $sP,(a+s)^{-1}P$ instead of individually.

As there is no pairing operation, BDH, xBDH, wBDH cannot be used here.

myat
  • 353
  • 1
  • 9

1 Answers1

1

Let $\mathbb{G}$ be a (multiplicatively written) group of order $q$ and let $g$ be a generator of $\mathbb{G}$. The $r$-SDH assumption (Strong Diffie-Hellman) [BB08] states that given $$ g,g^x, g^{x^2}, \dots, g^{x^r} $$ as input, it is hard to compute a pair $(a, g^{1/(x+a)})$ for some $a \in \mathbb{Z}_q$.

Writing group $\mathbb{G}$ additively and letting $P$ be a generator of $\mathbb{G}$, the $r$-SDH assumption is: Given $$ P, sP, s^2P, \dots, s^rP $$ as input, it is hard to compute a pair $(a, 1/(s+a)P)$ for some $a \in \mathbb{Z}_q$.

Your assumption is related to the $1$-SDH assumption in a cyclic subgroup of points on an elliptic curve over a finite field. It is however weaker as the attacker is given the value of $a$ (in the SDH assumption, the attacker is free to choose the value of $a$).

[BB08] D. Boneh and X. Boyen, Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups, Journal of Cryptology, 21(2), pp. 149-177, 2008.

user94293
  • 1,779
  • 13
  • 14