Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [hardness-assumptions]

Mathematical problems that are thought to be difficult to solve for all cases in polynomial time

A hardness assumption, also called a hardness problem, is a mathematical problem that is assumed to be difficult to solve in polynomial time. A well-known example is integer factorization. There is no known way for a classical computer to perform integer factorization in polynomial time.

A cryptographic algorithm may be provably reducible to a particular hardness assumption, which provides a guarantee that the algorithm can only be broken if the a solution to the assumption is found. The Rabin cryptosystem is provably reducible to the difficulty of integer factorization, for example, whereas RSA is thought to be as difficult as integer factorization, but this has not been proven (i.e. the RSA problem has not been provably reduced to the integer factorization problem).

A hardness assumption can be classified based on whether it's average or worst-case for typical problems. There are a very large number of hardness assumptions used in cryptography.

164 questions
18
votes
1 answer

Can you give me a summary of cryptographic hardness assumptions?

Until recently, I had a link to a website which summarizes up-to-date cryptographic hardness assumptions. But, unfortunately I cannot find it. The webpage is categorized well problems such as, DL problem, Factorization, Finite field, DH…
Arious Oh Nine
  • 181
  • 1
  • 3
5
votes
2 answers

Is this problem with anti-circulant matrices hard?

If there is an obvious way to solve this problem, please give it a chance before downvoting, I beg you. Also, some insight into the resultant asymmetric cryptosystem will be welcomed (described in the link at the end of this question). We will work…
daniel
  • 565
  • 2
  • 7
5
votes
2 answers

What is the notion of an interactive assumption?

In this paper: Sequential Aggregate Signatures with Short Public Keys: Design, Analysis and Implementation Studies the authors sell the paper as the first who propose Aggregate signatures without interactive assumptions as LRSW but with static ones.…
curious
  • 6,160
  • 6
  • 32
  • 45
3
votes
3 answers

Is this asymmetric (public key) cryptosystem based on a 16x16 s-table safe and useful?

May be this is absolutely off-topic, but here is. The cryptosystem description follows. Any hints of what to do with it, or flaws found are welcomed. This description is here as well. We will use a substitution 16x16 table, this is one of them: 7 …
daniel
  • 565
  • 2
  • 7
3
votes
1 answer

Is this problem on $\mathbb{Z}_p$ really hard?

I just want to know if there's something obvious that renders this hard problem useless. Not a full cryptoanalisys. Any hint on whatever is welcomed. We will work with the Ring $\mathbb{Z}_{p}$, $p$ prime. Now, we define a function…
daniel
  • 565
  • 2
  • 7
3
votes
1 answer

KEA assumption details

In order to understand the construction of a zK-SNARK, I have recently been trying to understand the KEA1 assumption in The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols by Mihir Bellare and Adriana Palacioy. I do not…
Pierre21
  • 147
  • 1
3
votes
1 answer

q-Strong Bilinear Diffie-Hellman

I'm having trouble finding the first paper that introduced the $q$-Strong Bilinear Diffie-Hellman ($q$-SBDH) assumption which, roughly speaking, is: Let $\mathbb{G},\mathbb{G}_T$ be two groups of order $p$, with a bilinear map $e$ from $\mathbb{G}$…
Alin Tomescu
  • 1,003
  • 10
  • 30
2
votes
0 answers

Group of quadratic residue over Blum integer

Let $x$ be a random element from $QR_n$, the quadratic residue group over Blum integer n (where $n=p*q$ and $p$ and $q$ are safe primes), and $g$ a generator of $QR_n$. Are the following computationally indistinguishable? $$(x^2 \mod n, g^x) (r^2…
Sean
  • 99
  • 9
2
votes
0 answers

Are these two assumptions equivalent?

Let $f_a : S \to R$ is a family of functions indexed by $a\in P$. Consider the assumption that $(a, f_a(x))$ is indistinguishable from uniform, over the distribution of $a\leftarrow U$ (uniform) and $x\leftarrow D$ (some efficiently sampleable…
Myath
  • 845
  • 6
  • 20
2
votes
1 answer

Is this problem based on discrete polynomials modulo $(x^3-1)$ strong?

We start working with the Ring $R=\left(\mathbb{Z}/p\mathbb{Z}\right)\left[x\right]/\left(x^{3}-1\right)$, $p$ prime, i.e. degree two polynomials with coefficients modulo $p$ modulo $x^{3}-1$. As $x^{3}-1=\left(x-1\right)\left(x^{2}+x+1\right)$, we…
daniel
  • 565
  • 2
  • 7
2
votes
1 answer

Strong LRSW assumption for type 3 pairing groups

Why does the "strong LRSW" assumption by Ateniese et al. [Untraceable RFID Tags via Insubvertible Encryption, CCS'05] hold ONLY for type 3 pairings and NOT for symmetric pairings? Whereas, the LRSW assumption by Lysyanskaya et al. [Pseudonym…
user2204800
  • 123
  • 2
1
vote
1 answer

Is DDH hard over this group?

I'm new to DDH. Reading this survey, I noticed that DDH is (believed to be) hard in many groups, but most of them are prime-order groups (the only one that is not is the cyclic subgroup of order $(p-1)(q-1)$ of the group of integers modulo $N =…
Cristina
  • 124
  • 8
0
votes
1 answer

finding sha256 preimage or secp256k1 private key, which is harder?

Is finding a public key that matches hash of pre-commited public key (second layer security) more computationally hard than finding private key to a known public key (attacking secp256k1)?
phi
  • 15
  • 4