Decision oracles are equivalent to matching oracles

Abstract

One of the key directions in complexity theory which has also filtered through to cryptographic research, is the effort to classify related but seemingly distinct notions. Separation or reduction arguments are the basic means for this classification. Continuing this direction we identify a class of problems, called “matching problems,” which are related to the class of “decision problems.” In many cases, these classes are neither trivially equivalent nor distinct. Briefly, a “decision” problem consists of one instance and a supposedly related image of this instance; the problem is to decide whether the instance and the image indeed satisfy the given predicate. In a “matching” problem two such pairs of instances-images are given, and the problem is to “match” or “distinguish” which image corresponds to which instance. Clearly the decision problem is more difficult, since given a “decision” oracle one can simply test each of the two images to be matched against an instance and solve the matching problem. Here we show that the opposite direction also holds, presuming that randomization of the input is possible, and that the matching oracle is successful in all but a negligible part of its input set. We first apply our techniques to show equivalence between the matching Diffie-Hellman and the decision Diffie-Hellman problems which were both applied recently quite extensively. This is a constructive step towards examining the strength of the Diffie-Hellman related problems. Then we show that in cryptosystems which can be uniformly randomized, non-semantic security implies that there is an oracle that decides whether a given plaintext corresponds to a given ciphertext. In the process we provide a new characteristic of encryption functions, which we call “universal malleability.”.