Optimal reductions of some decisional problems to the rank problem

Abstract

In the last years the use of large matrices and their algebraic properties proved to be useful to instantiate new cryptographic primitives like Lossy Trapdoor Functions and encryption schemes with improved security, like Key Dependent Message resilience. In these constructions the rank of a matrix is assumed to be hard to guess when the matrix is hidden by elementwise exponentiation. This problem, that we call here the Rank Problem, is known to be related to the Decisional Diffie-Hellman problem, but in the known reductions between both problems there appears a loss-factor in the advantage which grows linearly with the rank of the matrix. In this paper, we give a new and better reduction between the Rank problem and the Decisional Diffie-Hellman problem, such that the reduction loss-factor depends logarithmically in the rank. This new reduction can be applied to a number of cryptographic constructions, improving their efficiency. The main idea in the reduction is to build from a DDH tuple a matrix which rank shifts from r to 2r, and then apply a hybrid argument to deal with the general case. In particular this technique widens the range of possible values of the ranks that are tightly related to DDH. On the other hand, the new reduction is optimal as we show the nonexistence of more efficient reductions in a wide class containing all the "natural" ones (i.e., black-box and algebraic). The result is twofold: there is no (natural) way to build a matrix which rank shifts from r to 2r + α for α > 0, and no hybrid argument can improve the logarithmic loss-factor obtained in the new reduction. The techniques used in the paper extend naturally to other "algebraic" problems like the Decisional Linear or the Decisional 3-Party Diffie-Hellman problems, also obtaining reductions of logarithmic complexity. © International Association for Cryptologic Research 2012.