**A Note on the Bilinear Diffie-Hellman Assumption**

*Yacov Yacobi*

**Abstract: **Abstract. The Bi-linear Diffie-Hellman (BDH) intractability assumption is required to establish the security of new Weil-pairing based cryptosystems. BDH is reducible to most of the older believed-to-be-hard discrete-log problems and DH problems, but there is no known reduction from any of those problems to BDH. Let the bilinear mapping be e:G1 X G1->G2, where G1 and G2 are cyclic groups. We show that a many-one reduction from any of the relevant problems to BDH has to include an efficient mapping \phi:G2 ->G1 where \phi(g^{x})=f(x)P. Here g, and P are generators of the corresponding cyclic groups. The function \phi must be used in the reduction either before or after the call to oracle BDH. We show that if f(x)=ax^n+b for any constants a,b,n, then \phi could be used as an oracle for a probabilistic polynomial time solution for Decision Diffie-Hellman in G2. Thus such a reduction is unlikely.

**Category / Keywords: **Bi-linear pairing; ID based cryptosystems

**Publication Info: **Identity Based Encryption; Weil pairing

**Date: **received 7 Aug 2002, last revised 9 Aug 2002

**Contact author: **yacov at microsoft com

**Available format(s): **Postscript (PS) | Compressed Postscript (PS.GZ) | BibTeX Citation

**Version: **20020810:133304 (All versions of this report)

**Short URL: **ia.cr/2002/113

[ Cryptology ePrint archive ]