on tightly secure non-interactive key exchange - iacr crypto tightly secure non-interactive... ·...
TRANSCRIPT
![Page 1: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/1.jpg)
On Tightly Secure Non-Interactive Key Exchange
Julia Hesse (Technische Universitat Darmstadt)Dennis Hofheinz (Karlsruhe Institute of Technology)Lisa Kohl (Karlsruhe Institute of Technology)
1
![Page 2: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/2.jpg)
Non-Interactive Key Exchange (NIKE)
(pk1, sk1)← KeyGen
K21 = SharedKey(pk2, sk1)
(pk2, sk2)← KeyGen
K12 = SharedKey(pk1, sk2)
pk1, pk2
=
2
![Page 3: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/3.jpg)
Tight security
Scheme S secure if problem P hard:
A attacks S =⇒ B attacks P s.t.
AdvantageSA ≤ L︸︷︷︸security loss
· AdvantagePB (+ similar runtime)
I Asymptotic security: L ≤ polynomial
I Tight security: L small (e.g. small constant)
Why do we care?
I Theory: closer relation between P and SI Practice: smaller keys ⇒ more efficient instantiations
3
![Page 4: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/4.jpg)
Tight security
Scheme S secure if problem P hard:
A attacks S =⇒ B attacks P s.t.
AdvantageSA ≤ L︸︷︷︸security loss
· AdvantagePB (+ similar runtime)
I Asymptotic security: L ≤ polynomial
I Tight security: L small (e.g. small constant)
Why do we care?
I Theory: closer relation between P and SI Practice: smaller keys ⇒ more efficient instantiations
3
![Page 5: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/5.jpg)
Tight security
Scheme S secure if problem P hard:
A attacks S =⇒ B attacks P s.t.
AdvantageSA ≤ L︸︷︷︸security loss
· AdvantagePB (+ similar runtime)
I Asymptotic security: L ≤ polynomial
I Tight security: L small (e.g. small constant)
Why do we care?
I Theory: closer relation between P and SI Practice: smaller keys ⇒ more efficient instantiations
3
![Page 6: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/6.jpg)
Recap: Diffie-Hellman Key Exchange[DH76; CKS08]G group, 〈g〉 = G, p := |G|
a← Zp
K21 = (gb)a
b ← Zp
K12 = (ga)b
ga, gb
= gab =
Decisional DH: a, b, c ←R Zp: (ga, gb, gab) ≈c (ga, gb, g c)4
![Page 7: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/7.jpg)
(Simplified) Security model
pk1, · · · , pkn
5
![Page 8: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/8.jpg)
(Simplified) Security model
pk1, · · · , pkn
5
![Page 9: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/9.jpg)
(Simplified) Security model
pk1, · · · , pkn
5
![Page 10: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/10.jpg)
(Simplified) Security of NIKE w/ extractions
b?
A
pk1, . . . , pkn(pki , ski )← KeyGen
i?, j?
skii /∈i?,j?,Kb
b ← 0, 1K0 ← SharedKey(pki? , skj?)K1 random key
AdvantagenikeA := |Pr[b? = b]− 1/2|
6
![Page 11: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/11.jpg)
Recap: DH Key Exchange - Security w/ extractions
Idea: i?, j? ←R 1, . . . , n, embed DDH-challenge in pki? , pkj?
security loss of ≈ n2
Reduction doesn’t know ski
Reduction knows ski
i ∈ i?, j?i /∈ i?, j?
[BJLS16]: This loss is inherent!
7
![Page 12: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/12.jpg)
Recap: DH Key Exchange - Security w/ extractions
Idea: i?, j? ←R 1, . . . , n, embed DDH-challenge in pki? , pkj?
security loss of ≈ n2
Reduction doesn’t know skiReduction knows ski
i ∈ i?, j?i /∈ i?, j?
[BJLS16]: This loss is inherent!
7
![Page 13: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/13.jpg)
Recap: DH Key Exchange - Security w/ extractions
Idea: i?, j? ←R 1, . . . , n, embed DDH-challenge in pki? , pkj?
security loss of ≈ n2
Reduction doesn’t know skiReduction knows ski
i ∈ i?, j?i /∈ i?, j?
[BJLS16]: This loss is inherent!
7
![Page 14: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/14.jpg)
Our results
Can we do better?
I Yes! First NIKE with security loss n (in the standard model).
Can we do even better?
I Seems hard! Lower bound of security loss n for broad class of NIKEs.
+ Generic transformation with tight instantiation:
I NIKE with passive security NIKE with active security
8
![Page 15: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/15.jpg)
Our results
Can we do better?
I Yes! First NIKE with security loss n (in the standard model).
Can we do even better?
I Seems hard! Lower bound of security loss n for broad class of NIKEs.
+ Generic transformation with tight instantiation:
I NIKE with passive security NIKE with active security
8
![Page 16: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/16.jpg)
Our results
Can we do better?
I Yes! First NIKE with security loss n (in the standard model).
Can we do even better?
I Seems hard! Lower bound of security loss n for broad class of NIKEs.
+ Generic transformation with tight instantiation:
I NIKE with passive security NIKE with active security
8
![Page 17: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/17.jpg)
Our results
Can we do better?
I Yes! First NIKE with security loss n (in the standard model).
Can we do even better?
I Seems hard! Lower bound of security loss n for broad class of NIKEs.
+ Generic transformation with tight instantiation:
I NIKE with passive security NIKE with active security
8
![Page 18: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/18.jpg)
Our results
Can we do better?
I Yes! First NIKE with security loss n (in the standard model).
Can we do even better?
I Seems hard! Lower bound of security loss n for broad class of NIKEs.
+ Generic transformation with tight instantiation:
I NIKE with passive security NIKE with active security
8
![Page 19: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/19.jpg)
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?rewindrewind
b?
b?
Metareduction Λ
A
simA
sim
A
sim
BB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j?
with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort
⇒ problem P easy E
I ⇒ security loss of at least Ω(n2)
9
![Page 20: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/20.jpg)
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?rewindrewind
b?
b?
Metareduction Λ
A
simA
sim
A
sim
BB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j?
with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort
⇒ problem P easy E
I ⇒ security loss of at least Ω(n2)
9
![Page 21: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/21.jpg)
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?rewindrewind
b?
b?
Metareduction Λ
AsimAsim
Asim
BB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kb
skii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j?
with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort
⇒ problem P easy E
I ⇒ security loss of at least Ω(n2)
9
![Page 22: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/22.jpg)
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?
rewind
rewind
b?
b?
Metareduction Λ
AsimAsim
AsimBB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
skii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)
I ∃ run 6= (i?, j?) on which B does not abort
⇒ problem P easy E
I ⇒ security loss of at least Ω(n2)
9
![Page 23: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/23.jpg)
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?rewind
rewind
b?
b?
Metareduction Λ
AsimAsim
AsimBB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort
⇒ problem P easy EI ⇒ security loss of at least Ω(n2)
9
![Page 24: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/24.jpg)
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?rewind
rewind
b?
b?
Metareduction Λ
AsimAsim
AsimBB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort ⇒ problem P easy
EI ⇒ security loss of at least Ω(n2)
9
![Page 25: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/25.jpg)
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?rewind
rewind
b?
b?
Metareduction Λ
AsimAsim
AsimBB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort ⇒ problem P easy EI ⇒ security loss of at least Ω(n2)
9
![Page 26: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/26.jpg)
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?
rewind
rewind
b?
b?
Metareduction Λ
AsimAsim
AsimBB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort ⇒ problem P easy EI ⇒ security loss of at least Ω(n2)
9
![Page 27: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/27.jpg)
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?
rewind
rewind
b?
b?
Metareduction Λ
AsimAsim
AsimBB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort ⇒ problem P easy EI ⇒ security loss of at least Ω(n2)
9
![Page 28: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/28.jpg)
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
![Page 29: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/29.jpg)
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
![Page 30: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/30.jpg)
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
![Page 31: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/31.jpg)
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
![Page 32: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/32.jpg)
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
![Page 33: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/33.jpg)
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
![Page 34: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/34.jpg)
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
![Page 35: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/35.jpg)
Recap: Subset membership problem (SMP)
X set, L ⊆ X NP-language
Subset membership assumption for (X , L):
≈c x | x ←R X \ Lx | x ←R L
≈c invalid public keysvalid public keys
11
![Page 36: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/36.jpg)
Recap: Subset membership problem (SMP)
X set, L ⊆ X NP-language
Subset membership assumption for (X , L):
≈c x | x ←R X \ Lx | x ←R L
≈c invalid public keysvalid public keys
11
![Page 37: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/37.jpg)
Recap: Hash proof system[CS98]
HPS = (Gen, PubEval, PrivEval) is HPS for language L if:
PubEval(hpk, x ,w)
PrivEval(hsk , x)
return the same key K for all x ∈ L with witness w
Universality: ∀x /∈ L, (hpk, hsk )← Gen:
(hpk, x , PrivEval(hsk , x)) ≡ (hpk, x , random)
12
![Page 38: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/38.jpg)
Our NIKEVariation of the PAKE of [KOY01; GL03]
HPS = (Gen, PubEval, PrivEval) for L, SMP for L ⊆ X hard
Note:I hsk not unique
I can switch x to X\L
x1 ← L with witness w1
(hpk1, hsk1)← Gen
K21 = PubEval(hpk2, x1,w1)
x2 ← L with witness w2
(hpk2, hsk2)← Gen
K12 = PrivEval(hsk2, x1)
(hpk1,
x1
)
,
(
hpk2
, x2)
=
13
![Page 39: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/39.jpg)
Our NIKEVariation of the PAKE of [KOY01; GL03]
HPS = (Gen, PubEval, PrivEval) for L, SMP for L ⊆ X hard
Note:I hsk not unique
I can switch x to X\L
x1 ← L with witness w1
(hpk1, hsk1)← Gen
K21 = PubEval(hpk2, x1,w1)
x2 ← L with witness w2
(hpk2, hsk2)← Gen
K12 = PrivEval(hsk2, x1)
(hpk1, x1), (hpk2, x2)
=
13
![Page 40: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/40.jpg)
Our NIKEVariation of the PAKE of [KOY01; GL03]
HPS = (Gen, PubEval, PrivEval) for L, SMP for L ⊆ X hard
Note:I hsk not unique
I can switch x to X\L
x1 ← L with witness w1
(hpk1, hsk1)← Gen
K21 = PubEval(hpk2, x1,w1)
x2 ← L with witness w2
(hpk2, hsk2)← Gen
K12 = PrivEval(hsk2, x1)
(hpk1, x1), (hpk2, x2)
=
13
![Page 41: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/41.jpg)
Proof of Security - Idea
Idea: i? ←R 1, . . . , n, embed SMP-challenge as xi? in pki?
∀j > i? : Ki?j = PrivEval(hsk j , xi?)
≈ random if xi? ∈ X\L and hsk j unknown
security loss of only n
Reduction doesn’t know skiReduction knows ski
i = i?i 6= i?
14
![Page 42: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/42.jpg)
Proof of Security - Idea
Idea: i? ←R 1, . . . , n, embed SMP-challenge as xi? in pki?
∀j > i? : Ki?j = PrivEval(hsk j , xi?)
≈ random if xi? ∈ X\L and hsk j unknown
security loss of only n
Reduction doesn’t know skiReduction knows ski
i = i?i 6= i?
14
![Page 43: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/43.jpg)
Proof of Security - Idea
Idea: i? ←R 1, . . . , n, embed SMP-challenge as xi? in pki?
∀j > i? : Ki?j = PrivEval(hsk j , xi?)
≈ random if xi? ∈ X\L and hsk j unknown
security loss of only n
Reduction doesn’t know skiReduction knows ski
i = i?i 6= i?
14
![Page 44: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/44.jpg)
Proof of Security - Idea
Idea: i? ←R 1, . . . , n, embed SMP-challenge as xi? in pki?
∀j > i? : Ki?j = PrivEval(hsk j , xi?)
≈ random if xi? ∈ X\L and hsk j unknown
security loss of only n
Reduction doesn’t know skiReduction knows ski
i = i?i 6= i?
14
![Page 45: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/45.jpg)
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
![Page 46: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/46.jpg)
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
![Page 47: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/47.jpg)
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
![Page 48: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/48.jpg)
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
![Page 49: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/49.jpg)
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
![Page 50: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/50.jpg)
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
![Page 51: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/51.jpg)
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
![Page 52: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/52.jpg)
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j?
⇒ loss of Ω(n)
15
![Page 53: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/53.jpg)
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
![Page 54: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/54.jpg)
From passive to active security
Idea: add unbounded simulation sound NIZK proof of knowledge of secret key
I USS-NIZK allows to simulate during the reduction
I PoK allows to extract the secret key from corrupted users
Instantiation:
I generic instantiation from standard components
I optimized tightly secure instantiation for our NIKE
16
![Page 55: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/55.jpg)
From passive to active security
Idea: add unbounded simulation sound NIZK proof of knowledge of secret key
I USS-NIZK allows to simulate during the reduction
I PoK allows to extract the secret key from corrupted users
Instantiation:
I generic instantiation from standard components
I optimized tightly secure instantiation for our NIKE
16
![Page 56: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/56.jpg)
Our resultsReference |pk| sec. model sec. loss assumption uses
[DH76] 1×G passive n2 DDH -Ours 3×G passive n DDH -
[CKS08] 2×G active? 2 CDH ROM[FHKP13] 1× ZN active n2 factoring ROM[FHKP13] 2×G + 1× Zp active n2 DBDH pairingOurs 12×G active n DLIN pairing
*w/o extractionsModular constructions
New lower bound:I applies to all schemes where invalid public keys have no secret keysI yields a loss of Ω(n) for all simple black-box reductions
Generic transformation from passive to active secure NIKE Thank you!!
17
![Page 57: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/57.jpg)
Bibliography IChristoph Bader, Tibor Jager, Yong Li, and Sven Schage. “On theImpossibility of Tight Cryptographic Reductions”. In:EUROCRYPT 2016, Part II. Ed. by Marc Fischlin andJean-Sebastien Coron. Vol. 9666. LNCS. Springer, Heidelberg, May 2016,pp. 273–304. doi: 10.1007/978-3-662-49896-5_10.
David Cash, Eike Kiltz, and Victor Shoup. “The Twin Diffie-HellmanProblem and Applications”. In: EUROCRYPT 2008. Ed. byNigel P. Smart. Vol. 4965. LNCS. Springer, Heidelberg, Apr. 2008,pp. 127–145.
Ronald Cramer and Victor Shoup. “A Practical Public Key CryptosystemProvably Secure Against Adaptive Chosen Ciphertext Attack”. In:CRYPTO’98. Ed. by Hugo Krawczyk. Vol. 1462. LNCS. Springer,Heidelberg, Aug. 1998, pp. 13–25.
18
![Page 58: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/58.jpg)
Bibliography II
Whitfield Diffie and Martin E. Hellman. “New Directions inCryptography”. In: IEEE Transactions on Information Theory 22.6(1976), pp. 644–654.
Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz, andKenneth G. Paterson. “Non-Interactive Key Exchange”. In: PKC 2013.Ed. by Kaoru Kurosawa and Goichiro Hanaoka. Vol. 7778. LNCS. Springer,Heidelberg, 2013, pp. 254–271. doi: 10.1007/978-3-642-36362-7_17.
Rosario Gennaro and Yehuda Lindell. “A Framework for Password-BasedAuthenticated Key Exchange”. In: EUROCRYPT 2003. Ed. by Eli Biham.Vol. 2656. LNCS. http://eprint.iacr.org/2003/032.ps.gz.Springer, Heidelberg, May 2003, pp. 524–543.
19
![Page 59: On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit](https://reader035.vdocuments.site/reader035/viewer/2022081402/5f0e040b7e708231d43d33b1/html5/thumbnails/59.jpg)
Bibliography III
Jonathan Katz, Rafail Ostrovsky, and Moti Yung. “EfficientPassword-Authenticated Key Exchange Using Human-MemorablePasswords”. In: EUROCRYPT 2001. Ed. by Birgit Pfitzmann. Vol. 2045.LNCS. Springer, Heidelberg, May 2001, pp. 475–494.
Eike Kiltz and Hoeteck Wee. “Quasi-Adaptive NIZK for Linear SubspacesRevisited”. In: EUROCRYPT 2015, Part II. Ed. by Elisabeth Oswald andMarc Fischlin. Vol. 9057. LNCS. Springer, Heidelberg, Apr. 2015,pp. 101–128. doi: 10.1007/978-3-662-46803-6_4.
20