Tight Time-Space Tradeoffs for the Decisional Diffie-Hellman Problem

In the (preprocessing) Decisional Diffie-Hellman (DDH) problem, we are given a cyclic group G with a generator g and a prime order N, and want to prepare some advice of S, such that we can efficiently distinguish (g(x),g(y),g(xy)) from (g(x),g(y),g(z)) in time T for uniformly and independently chosen x, y ,z from [N. This is a central cryptographic problem whose computational hardness underpins many widely deployed schemes such as the Diffie-Hellman key exchange protocol. We prove that any generic preprocessing DDH algorithm (operating in any cyclic group) achieves advantage at most O(ST2/N). This bound matches the best known attack up to poly-log factors, and confirms that DDH is as secure as the (seemingly harder) discrete logarithm problem against preprocessing attacks. Our result resolves an open question by Corrigan-Gibbs and Kogan (EURO-CRYPT 2018), which proved optimal bounds for many variants of discrete logarithm problems except DDH (with an (O) over tilde(root ST2/N) bound). We obtain our results by adopting and refining the approach by Gravin, Guo, Kwok, Lu (SODA 2021) and by Yun (EUROCRYPT 2015). Along the way, we significantly simplified and extended above techniques which may be of independent interests. The highlights of our techniques are following: We obtain a simpler reduction from decisional problems against S-bit advice to their S-wise XOR lemmas against zero-advice, recovering the reduction by Gravin, Guo, Kwok and Lu (SODA 2021). We show how to reduce generic hardness of decisional problems to their variants in the simpler hyperplane model proposed by Yun (EUROCRYPT 2015). This is the first work analyzing a decisional problem in Yun's model, answering an open problem proposed by Auerbach, Hoffman, and Pascual-Perez (TCC 2023). We prove an S-wise XOR lemma of DDH in Yun's model. As a corollary, we obtain the generic hardness of the S-XOR DDH problem.