On error correction in the exponent

Abstract

Given a corrupted word w = (w 1,⋯,w n) from a ReedSolomon code of distance d, there are many ways to efficiently find and correct its errors. But what if we are instead given (g w1,⋯, g wn) where g generates some large cyclic group - can the errors still be corrected efficiently? This problem is called error correction in the exponent, and though it arises naturally in many areas of cryptography, it has received little attention. We first show that unique decoding and list decoding in the exponent are no harder than the computational Diffie-Hellman (CDH) problem in the same group. The remainder of our results are negative: - Under mild assumptions on the parameters, we show that boundeddistance decoding in the exponent, under e = d -k 1-e errors for any ε> 0, is as hard as the discrete logarithm problem in the same group. - For generic algorithms (as defined by Shoup, Eurocrypt 1997) that treat the group as a "black-box," we show lower bounds for decoding that exactly match known algorithms. Our generic lower bounds also extend to decisional variants of the decoding problem, and to groups in which the decisional Diffie-Hellman (DDH) problem is easy. This suggests that hardness of decoding in the exponent is a qualitatively new assumption that lies "between" the DDH and CDH assumptions. © Springer-Verlag Berlin Heidelberg 2006.