Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [hardness-assumptions]

Mathematical problems that are thought to be difficult to solve for all cases in polynomial time

A hardness assumption, also called a hardness problem, is a mathematical problem that is assumed to be difficult to solve in polynomial time. A well-known example is integer factorization. There is no known way for a classical computer to perform integer factorization in polynomial time.

A cryptographic algorithm may be provably reducible to a particular hardness assumption, which provides a guarantee that the algorithm can only be broken if the a solution to the assumption is found. The Rabin cryptosystem is provably reducible to the difficulty of integer factorization, for example, whereas RSA is thought to be as difficult as integer factorization, but this has not been proven (i.e. the RSA problem has not been provably reduced to the integer factorization problem).

A hardness assumption can be classified based on whether it's average or worst-case for typical problems. There are a very large number of hardness assumptions used in cryptography.

179 questions
31
votes
2 answers

What are standard cryptographic assumptions?

I am struggling to understand what is meant by "standard cryptographic assumption". The Wikipedia artice on the Goldwasser–Micali system (GM) reads "GM has the distinction of being the first probabilistic public-key encryption scheme which is…
3nondatur
  • 617
  • 6
  • 11
23
votes
4 answers

What is the relation between Discrete Log, Computational Diffie-Hellman and Decisional Diffie-Hellman?

How are the three problems Discrete Logarithm, Computational Diffie-Hellman and Decisional Diffie-Hellman related? From my understanding, since the Discrete Log (DL) Problem is considered hard, then so is CDH. And since CDH is considered hard, then…
Bobby S
  • 1,973
  • 4
  • 23
  • 30
20
votes
1 answer

Can you give me a summary of cryptographic hardness assumptions?

Until recently, I had a link to a website which summarizes up-to-date cryptographic hardness assumptions. But, unfortunately I cannot find it. The webpage is categorized well problems such as, DL problem, Factorization, Finite field, DH…
Arious Oh Nine
  • 201
  • 2
  • 3
14
votes
2 answers

Sum of two squares problem

I would like to know if there is any existing research on the following problem: $$\text{For }a, b \in \mathbb Z \text{, given }n = a^2 + b^2, \text{output }a, b$$. Searching for "sum of squares", "quadratic sum", "two squares", etc. on eprint did…
Ella Rose
  • 19,971
  • 6
  • 56
  • 103
12
votes
3 answers

Error-correcting Code VS Lattice-based Crypto

I'm not an expert in PQ-crypto, but as I understand error-correcting code and lattice-based crypto, the cryptographic assumptions are very similar. The key difference for me is the nature of the noise. In one case, the noise is inspired by the…
Ievgeni
  • 2,653
  • 1
  • 13
  • 35
11
votes
1 answer

What is this problem called and is it hard? given $g^x$ output ($g^y, xy$)

Assume that $G$ is any cyclic group where the discrete log problem is hard, such as the elliptic curve group. Let $g$ be some generator of $G$. The problem is as follows: Given $(g, g^x)$ for unknown $x$, output any pair of the form $(g^y, xy)$ for…
Jus12
  • 1,679
  • 1
  • 12
  • 21
10
votes
2 answers

Is the one-more discrete log problem hard in the Generic Group Model?

In the Generic Group Model (GGM), a concrete cyclic group of (known) order $n$ is replaced with an idealized version: a random encoding for group elements is chosen, and the adversary only gets access to the encoded form of any input group elements…
Pieter Wuille
  • 425
  • 2
  • 12
10
votes
0 answers

Hardness of iterated squaring in Paillier group

The (computational) problem of iterated squaring (IS) in the RSA group is defined as follows, where $\leftarrow$ denotes sampling uniformly at random: Input: $(N,x,T)$, where $N$ is the RSA modulus, $x\leftarrow\mathbb{Z}_N^*$, and $T\in\mathbb{N}$…
ckamath
  • 5,488
  • 2
  • 25
  • 42
10
votes
2 answers

Concrete evidence for the asymptotics of $\lambda_1(\Lambda^\perp(A))$?

A recent eprint paper claims to bound $\lambda_1(\Lambda^\perp(\mathbf{A}))$ for $\mathbf{A}\in\mathbb{Z}^{n\times m}$, a uniformly random matrix, by $O(1)$, specifically by $4$. This has applications to solving $\mathsf{SIS}_{n,m,q,4}$ in…
Mark Schultz-Wu
  • 15,089
  • 1
  • 22
  • 53
10
votes
1 answer

Nash cryptosystem

In 1955, Nash proposed a cryptosystem in a declassified handwritten letters sent to the National Security Agency. The letters also include a conjecture which is equivalent to the famous $P \ne NP$ conjecture. I am not an expert in cryptoghraphy and…
Mohammad Al-Turkistany
  • 263
  • 2
  • 10
10
votes
1 answer

About random self-reducibility of DDH

In Section 8 of this, Lindell presents a construction of an oblivious transfer protocol which is secure in the malicious model under the following variant of the DDH assumption (page 53): [F]or every probabilistic-polynomial time non-uniform…
fkraiem
  • 8,242
  • 2
  • 28
  • 38
10
votes
2 answers

What is a q-type assumption?

I've seen the term "$q$-type assumption" used in a few papers without a definition. A Google search doesn't seem to come up with anything useful either (except the same papers without a definition). Could someone elaborate on what they are and how…
JT1
  • 395
  • 2
  • 8
8
votes
2 answers

Is there a group where CDH is easy but DLog is hard?

The question is quite simple: Is there a group where solving the CDH problem can be shown to be easy but solving the discrete logarithm problem is assumed to be hard? Refresher on the problems: CDH: Let $\mathbb G=(G,+,0,p)$ be a public cyclic…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
8
votes
2 answers

How hard is Self-DLOG?

This question while asking for something different brings up an intriguing problem: If you can find $x$ such that $x\equiv R^x\pmod p$ then you can break DSA. Now I thought that one might be able to relate this to the discrete logarithm problem…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
7
votes
1 answer

Is phi-hiding assumption as hard as integer factorization?

Phi-hiding assumption can be simply stated as (wrt hardness) It is difficult to find small factors of $\varphi(m)$ where $m$ is a number whose factorization is unknown and $\varphi$ is Euler's totient function. Is the hardness due to this…
Fateh
  • 107
  • 5
1
2 3
11 12