Knowledge of discrete log is needed in the proof of Cramer-Shoup public key scheme?

Question

In the proof of the Cramer-Shoup public key scheme [1], I understand that the adversary's view can be seen as equations such as $\log c = x_1 + w x_2, \log d = y_1 + w y_2$ and so on (equation 1 and 2 in [1]), where $\log = \log_{g_1}$ and $w = \log g_2$. Does this mean the adversary knows how to solve discrete log? If that's the case, why is it a reasonable assumption? Otherwise, how does the adversary know $\log c$, $\log d$ and $w$?

[1] https://link.springer.com/content/pdf/10.1007%2FBFb0055717.pdf

score 1 · Accepted Answer · answered Apr 22 '20 at 05:54

Of course, it doesn't mean that adversary knows how to solve discrete log. We just wanted to say that adversary only knows that the point $P$ lies somewhere on a plain $\cal{P}$ of such form. We don't suppose that adversary knows actual parameters of the plane.

But it's enough for us to deduce that $\cal{P}$ intersects with another plane $\cal{H}$ (which also has a specific form, though we don't know exact parameters) only by a line, so this intersection is negligible (actually, a probability for $P$ to lie exactly on the line is negligible).

Knowledge of discrete log is needed in the proof of Cramer-Shoup public key scheme?

1 Answers1