A cryptographic primitive based on hidden-order groups

Let G(1) be a cyclic multiplicative group of order n. It is known that the computational Diffie-Hellman (CDH) problem is random self-reducible in G1 if phi(n) is known. That is, given g,g(x) epsilon G(1) for some generator g and oracle access to a "Diffie-Hellman Problem solver" for g, it is possible to compute g(1/x) epsilon G(1) in polynomial time (with which we can then solve the CDH problem w.r.t. any other generator). On the other hand, it is not clear if such a reduction exists when phi(n) is unknown. We exploit this "gap" to construct a novel cryptographic primitive, which we call an Oracle-based Group with Infeasible Inversion (O-GII). O-GIIs have applications in multiparty protocols. We demonstrate this by presenting a novel multi-party key agreement protocol that does not require interaction between the parties. Instead, the protocol requires each party to query a remote stateless device. Our method relies on the observation that it is considerably more expensive to interact with every party connected via an unreliable network, than it is to query one of several identical stateless devices, some of which may be located in a more reliable sub-network.