# Discrete Logarithm and DDH Assumptions

This section introduces the discrete logarithm problem and related computational assumptions that form the foundation of many cryptographic protocols.

## Group Generation Algorithm

:::{note} Definition: Group Generation Algorithm
:label: group-gen-algo

A *group generation algorithm* $\mathcal{G}$ is a PPT algorithm that takes the security parameter $1^\lambda$ as input and outputs a group description $(\mathbb{G}, p, g)$, where $\mathbb{G}$ is a cyclic group of prime order $p$ with $p \geq 2^{\lambda-1}$, and $g$ is a generator of $\mathbb{G}$.
:::

:::{tip}
The group operation is denoted multiplicatively ($g\cdot g = g^2$).
:::

## The Discrete Logarithm Problem

The discrete logarithm game is defined as follows:

$$
\begin{array}{l}
\underline{\text{Game } \mathsf{DL}^{\mathcal{G}}}: \\
(\mathbb{G}, p, g) \leftarrow \mathcal{G}(1^\lambda) \\
x \xleftarrow{\$} \mathbb{Z}_p \\
X := g^x \\
x' \leftarrow \mathcal{A}(\mathbb{G}, p, g, X) \\
\text{return } x' = x
\end{array}
$$

:::{important} Discrete Logarithm Assumption
:label: dl-assumption

Let $\mathcal{G}$ be a group generation algorithm. The discrete logarithm (DL) problem is hard for $\mathcal{G}$ if for any PPT algorithm $\mathcal{A}$,

$$
\mathsf{Adv}_{\mathcal{A},\mathcal{G}}^{\mathsf{DL}} := \Pr[\mathsf{Game\ DL}^{\mathcal{G}} = 1] = \mathsf{negl}(\lambda).
$$
:::

## The DDH Assumption

The decisional Diffie-Hellman game is defined as follows:

$$
\begin{array}{l}
\underline{\text{Game } \mathsf{DDH}^{\mathcal{G}}}: \\
(\mathbb{G}, p, g) \leftarrow \mathcal{G}(1^\lambda) \\
a, b \xleftarrow{\$} \mathbb{Z}_p \\
A := g^a, B := g^b \\
d \xleftarrow{\$} \{0, 1\} \\
\text{if } d = 0 \text{ then} \\
\quad c \xleftarrow{\$} \mathbb{Z}_p \\
\quad C := g^c \\
\text{else} \\
\quad C := g^{ab} \\
d' \leftarrow \mathcal{A}(\mathbb{G}, p, g, A, B, C) \\
\text{return } d' = d
\end{array}
$$

:::{important} Decisional Diffie-Hellman Assumption
:label: ddh-assumption

Let $\mathcal{G}$ be a group generation algorithm. The decisional Diffie-Hellman (DDH) problem is hard for $\mathcal{G}$ if for any PPT algorithm $\mathcal{A}$,

$$
\mathsf{Adv}_{\mathcal{A},\mathcal{G}}^{\mathsf{DDH}} := \left|\Pr[\mathsf{Game\ DDH}^{\mathcal{G}} = 1] - \frac{1}{2}\right| = \mathsf{negl}(\lambda).
$$
:::

## The OMDL and AOMDL Problems

The one-more discrete logarithm (OMDL) and algebraic one-more discrete logarithm (AOMDL) games are defined as follows:

$$
\begin{array}{lll}
\underline{\text{Game } \mathsf{OMDL}^{\mathcal{G}}}: & & \underline{\text{Oracle } \mathsf{Chal}()}: \\
(\mathbb{G}, p, g) \leftarrow \mathcal{G}(1^\lambda) & & \ell := \ell + 1 \\
\ell := 0; q := 0 & & x_\ell \xleftarrow{\$} \mathbb{Z}_p \\
\vec{y} \leftarrow \mathcal{A}^{\mathsf{Chal}, \mathsf{DL}}(\mathbb{G}, p, g) & & X_\ell := g^{x_\ell} \\
\vec{x} := (x_1, \ldots, x_\ell) & & \text{return } X_\ell \\
\text{return } (\vec{y} = \vec{x} \wedge q < \ell) & & \\
& & \underline{\text{Oracle } \mathsf{DL}(X)}: \\
& & q := q+1 \\
& & \text{return } \log_g(X)
\end{array}
$$

$$
\begin{array}{ll}
\underline{\text{Game } \mathsf{AOMDL}^{\mathcal{G}}}: & \underline{\text{Oracle } \mathsf{ADL}((\alpha, \beta_1, \ldots, \beta_{\ell}))}: \\
(\mathbb{G}, p, g) \leftarrow \mathcal{G}(1^\lambda) & q := q+1 \\
\ell := 0; q := 0 & \text{return } \alpha + \sum_{i=1}^{\ell} \beta_i x_i \\
\vec{y} \leftarrow \mathcal{A}^{\mathsf{Chal}, \mathsf{ADL}}(\mathbb{G}, p, g) & \text{   } // = \log_g\left(g^\alpha \prod_{i=1}^{\ell} X_i^{\beta_i}\right) \\
\vec{x} := (x_1, \ldots, x_\ell) & \\
\text{return } (\vec{y} = \vec{x} \wedge q < \ell) &
\end{array}
$$

:::{important} One-More Discrete Logarithm Assumption
:label: omdl-assumption

Let $\mathcal{G}$ be a group generation algorithm. The one-more discrete logarithm (OMDL) problem is hard for $\mathcal{G}$ if for any PPT algorithm $\mathcal{A}$,

$$
\mathsf{Adv}_{\mathcal{A},\mathcal{G}}^{\mathsf{OMDL}} := \Pr[\mathsf{Game\ OMDL}^{\mathcal{G}} = 1] = \mathsf{negl}(\lambda).
$$
:::

:::{important} Algebraic One-More Discrete Logarithm Assumption
:label: aomdl-assumption

Let $\mathcal{G}$ be a group generation algorithm. The algebraic one-more discrete logarithm (AOMDL) problem is hard for $\mathcal{G}$ if for any PPT algorithm $\mathcal{A}$,

$$
\mathsf{Adv}_{\mathcal{A},\mathcal{G}}^{\mathsf{AOMDL}} := \Pr[\mathsf{Game\ AOMDL}^{\mathcal{G}} = 1] = \mathsf{negl}(\lambda).
$$
:::

:::{tip}
When proving the security of a scheme using the AOMDL assumption, the $\mathsf{ADL}$ oracle is (typically) used by the reduction and not by the adversary against the scheme. Therefore, the security proof is not restricted to adversaries that know the algebraic representations of all group elements that they output.
:::

:::{tip} Falsifiable Assumptions
In order to be able to evaluate whether an assumption is true or not, it must be falsifiable, i.e., there must be a (constructive) way to demonstrate that it is false, if this is the case. More precisely, a cryptographic assumption is *falsifiable* if there exists a PPT challenger algorithm that interacts with an adversary and decides whether the adversary breaks the assumption.
:::

## Exercises

:::{exercise}
:label: ex-dl-secp256k1

In the framework of asymptotic security, why is the DL problem on secp256k1 not hard? What does $\mathcal{G}$ do?

:::{dropdown} **Solution**
The DL problem on secp256k1 is not hard in the asymptotic security framework because secp256k1 has a fixed 256-bit group order, independent of the security parameter $\lambda$. For asymptotic hardness, the group size must grow with $\lambda$. The group generation algorithm $\mathcal{G}$ generates groups where $p \geq 2^{\lambda-1}$, ensuring that the problem scales appropriately with the security parameter.
:::
:::

:::{exercise}
:label: ex-omdl-implies-dl

Argue that if OMDL is hard for a group generation algorithm then DL is hard.

:::{dropdown} **Solution**
If OMDL is hard, then DL must be hard. Given a PPT DL adversary $\mathcal{A}$, we construct a PPT OMDL adversary $\mathcal{B}$:
- $\mathcal{B}$ calls $\mathsf{Chal}()$ once to get $X_1$.
- $\mathcal{B}$ runs $\mathcal{A}(\mathbb{G}, p, g, X_1)$ to get $x_1'$.
- $\mathcal{B}$ outputs $(x_1')$.

If $\mathcal{A}$ succeeds, then $X_1 = g^{x_1'}$, so $\mathcal{B}$ solves one discrete log with zero challenge queries, winning the OMDL game.
:::
:::

:::{exercise}
:label: ex-aomdl-queries

Consider an algorithm $\mathcal{A}$ playing the AOMDL game. It queries $\mathsf{Chal}$ twice to obtain $X_1$ and $X_2$, then samples $\alpha, \beta_1, \beta_2 \xleftarrow{\$} \mathbb{Z}_p$.

1. How should $\mathcal{A}$ call the $\mathsf{ADL}$ oracle to obtain $\log_g(P)$ where $P = g^\alpha X_1^{\beta_1} X_2^{\beta_2}$?
2. Assuming $\mathcal{A}$ makes no more $\mathsf{Chal}$ queries, how many more $\mathsf{ADL}$ queries can it make?
3. What must $\mathcal{A}$ return to win the game?

:::{dropdown} **Solution**
1. $\mathcal{A}$ should call $\mathsf{ADL}((\alpha, \beta_1, \beta_2))$. The oracle will return
   $$
   \alpha + \beta_1 x_1 + \beta_2 x_2 = \log_g(g^\alpha X_1^{\beta_1} X_2^{\beta_2}) = \log_g(P).
   $$
2. Since $\ell = 2$ (two $\mathsf{Chal}$ queries) and $q = 1$ (one $\mathsf{ADL}$ query), and the winning condition requires $q < \ell$, the adversary can make at most 0 more queries (as $1 < 2$ but $2 \not< 2$).
3. $\mathcal{A}$ must return $(x_1, x_2)$, the discrete logarithms of $X_1$ and $X_2$.
:::
:::

:::{exercise}
:label: ex-falsifiability

Is the OMDL assumption falsifiable? Is the AOMDL assumption falsifiable? Do we prefer the security of a scheme to be based on OMDL or AOMDL?

:::{dropdown} **Solution**
The OMDL assumption is *non-falsifiable* because implementing the DL oracle requires computing discrete logarithms, but the OMDL assumption itself assumes that this cannot be done with non-negligible success probability in polynomial time classically.

The AOMDL assumption is *falsifiable* because:
- The ADL oracle can be implemented efficiently: given $(\alpha, \beta_1, \ldots, \beta_\ell)$, it simply returns $\alpha + \sum_{i=1}^\ell \beta_i x_i$
- The winning condition can be verified by checking that the returned values equal the stored $x_i$ values
- All operations (additions, multiplications) are polynomial time

We prefer basing security on falsifiable assumptions like AOMDL. Note that AOMDL is a weaker assumption than OMDLâ€”if AOMDL doesn't hold, then OMDL doesn't hold either (since any OMDL adversary is also an AOMDL adversary).
:::
:::

:::{exercise}
:label: ex-dl-general

(Optional) Why is the DL problem not hard in general?

:::{dropdown} **Solution**
The discrete logarithm in $\mathbb{Z}_p$ where the group operation is addition can be computed in polynomial time. In general, quantum computers can solve the DL problem in polynomial time using Shor's algorithm.
:::
:::

:::{exercise}
:label: ex-ggm

(Optional) Read about the Generic Group Model (GGM) in the introduction of Shoup (1997) and Maurer (2005), and argue why the DLP is hard for classical computational models.
:::

:::{exercise}
:label: ex-silent-payments

(Optional) How does Silent Payments (BIP-Silent Payments) rely on the DDH assumption?
:::

:::{exercise}
:label: ex-falsifiability-study

(Optional) Study the concept of falsifiability of cryptographic assumptions by reading Naor (2003). Analyze the following assumptions and explain the extent to which each one is falsifiable:
- Factoring
- The RSA assumption
- The Decisional Diffie-Hellman assumption
- The Knowledge-of-Exponent assumption
:::