On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit

On Tightly Secure Non-Interactive Key Exchange

Julia Hesse (Technische Universitat Darmstadt)Dennis Hofheinz (Karlsruhe Institute of Technology)Lisa Kohl (Karlsruhe Institute of Technology)

1

Non-Interactive Key Exchange (NIKE)

(pk1, sk1)← KeyGen

K21 = SharedKey(pk2, sk1)

(pk2, sk2)← KeyGen

K12 = SharedKey(pk1, sk2)

pk1, pk2

=

2

Tight security

Scheme S secure if problem P hard:

A attacks S =⇒ B attacks P s.t.

AdvantageSA ≤ L︸︷︷︸security loss

· AdvantagePB (+ similar runtime)

I Asymptotic security: L ≤ polynomial

I Tight security: L small (e.g. small constant)

Why do we care?

I Theory: closer relation between P and SI Practice: smaller keys ⇒ more efficient instantiations

3

Tight security







Why do we care?


3

Tight security







Why do we care?


3

Recap: Diffie-Hellman Key Exchange[DH76; CKS08]G group, 〈g〉 = G, p := |G|

a← Zp

K21 = (gb)a

b ← Zp

K12 = (ga)b

ga, gb

= gab =

Decisional DH: a, b, c ←R Zp: (ga, gb, gab) ≈c (ga, gb, g c)4

(Simplified) Security model

pk1, · · · , pkn

5


pk1, · · · , pkn

5


pk1, · · · , pkn

5

(Simplified) Security of NIKE w/ extractions

b?

A

pk1, . . . , pkn(pki , ski )← KeyGen

i?, j?

skii /∈i?,j?,Kb

b ← 0, 1K0 ← SharedKey(pki? , skj?)K1 random key

AdvantagenikeA := |Pr[b? = b]− 1/2|

6

Recap: DH Key Exchange - Security w/ extractions

Idea: i?, j? ←R 1, . . . , n, embed DDH-challenge in pki? , pkj?

security loss of ≈ n2

Reduction doesn’t know ski

Reduction knows ski

i ∈ i?, j?i /∈ i?, j?

[BJLS16]: This loss is inherent!

7




Reduction doesn’t know skiReduction knows ski

i ∈ i?, j?i /∈ i?, j?


7





i ∈ i?, j?i /∈ i?, j?


7

Our results

Can we do better?

I Yes! First NIKE with security loss n (in the standard model).

Can we do even better?

I Seems hard! Lower bound of security loss n for broad class of NIKEs.

+ Generic transformation with tight instantiation:

I NIKE with passive security NIKE with active security

8

Our results

Can we do better?






8

Our results

Can we do better?






8

Our results

Can we do better?






8

Our results

Can we do better?






8

The lower bound of [BJLS16]

I applies to all NIKEs w/ unique secret keys

I rules out tight simple black-box reductions

⇒ has to abort on all runs 6= (i?, j?)


i ∈ i?, j?rewindrewind

b?

b?

Metareduction Λ

A

simA

sim

A

sim

BB

pk1, . . . , pknInstance of P

Solution to P

i?, j?

skii /∈i?,j?,Kb

skii /∈i?,j?,Kbskii /∈i?,j?,Kb

I Idea: simulate A by computing Ki?j?

with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort

⇒ problem P easy E

I ⇒ security loss of at least Ω(n2)

9







b?

b?

Metareduction Λ

A

simA

sim

A

sim

BB


Solution to P

i?, j?

skii /∈i?,j?,Kb






9







b?

b?

Metareduction Λ

AsimAsim

Asim

BB


Solution to P

i?, j?

skii /∈i?,j?,Kb

skii /∈i?,j?,Kb

skii /∈i?,j?,Kb





9






i ∈ i?, j?

rewind

rewind

b?

b?

Metareduction Λ

AsimAsim

AsimBB


Solution to P

i?, j?


skii /∈i?,j?,Kb

I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)

I ∃ run 6= (i?, j?) on which B does not abort



9






i ∈ i?, j?rewind

rewind

b?

b?

Metareduction Λ

AsimAsim

AsimBB


Solution to P

i?, j?

skii /∈i?,j?,Kb


I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort

⇒ problem P easy EI ⇒ security loss of at least Ω(n2)

9






i ∈ i?, j?rewind

rewind

b?

b?

Metareduction Λ

AsimAsim

AsimBB


Solution to P

i?, j?

skii /∈i?,j?,Kb


I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort ⇒ problem P easy

EI ⇒ security loss of at least Ω(n2)

9






i ∈ i?, j?rewind

rewind

b?

b?

Metareduction Λ

AsimAsim

AsimBB


Solution to P

i?, j?

skii /∈i?,j?,Kb


I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort ⇒ problem P easy EI ⇒ security loss of at least Ω(n2)

9






i ∈ i?, j?

rewind

rewind

b?

b?

Metareduction Λ

AsimAsim

AsimBB


Solution to P

i?, j?

skii /∈i?,j?,Kb



9






i ∈ i?, j?

rewind

rewind

b?

b?

Metareduction Λ

AsimAsim

AsimBB


Solution to P

i?, j?

skii /∈i?,j?,Kb



9

How to circumvent the lower bound of [BJLS16]?

Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key

Our scheme: public keys have many secret keys

Not enough! By correctness:

∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)

Solution: invalid public keys (w/o secret keys)

≈c invalid public keysvalid public keys

∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)

Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!

10










10










10










10










10










10










10

Recap: Subset membership problem (SMP)

X set, L ⊆ X NP-language

Subset membership assumption for (X , L):

≈c x | x ←R X \ Lx | x ←R L


11

Recap: Subset membership problem (SMP)

X set, L ⊆ X NP-language

Subset membership assumption for (X , L):

≈c x | x ←R X \ Lx | x ←R L


11

Recap: Hash proof system[CS98]

HPS = (Gen, PubEval, PrivEval) is HPS for language L if:

PubEval(hpk, x ,w)

PrivEval(hsk , x)

return the same key K for all x ∈ L with witness w

Universality: ∀x /∈ L, (hpk, hsk )← Gen:

(hpk, x , PrivEval(hsk , x)) ≡ (hpk, x , random)

12

Our NIKEVariation of the PAKE of [KOY01; GL03]

HPS = (Gen, PubEval, PrivEval) for L, SMP for L ⊆ X hard

Note:I hsk not unique

I can switch x to X\L

x1 ← L with witness w1

(hpk1, hsk1)← Gen

K21 = PubEval(hpk2, x1,w1)


(hpk2, hsk2)← Gen

K12 = PrivEval(hsk2, x1)

(hpk1,

x1

)

,

(

hpk2

, x2)

=

13






(hpk1, hsk1)← Gen



(hpk2, hsk2)← Gen


(hpk1, x1), (hpk2, x2)

=

13






(hpk1, hsk1)← Gen



(hpk2, hsk2)← Gen


(hpk1, x1), (hpk2, x2)

=

13

Proof of Security - Idea

Idea: i? ←R 1, . . . , n, embed SMP-challenge as xi? in pki?

∀j > i? : Ki?j = PrivEval(hsk j , xi?)

≈ random if xi? ∈ X\L and hsk j unknown

security loss of only n


i = i?i 6= i?

14







i = i?i 6= i?

14







i = i?i 6= i?

14







i = i?i 6= i?

14

Towards a new lower bound

[BJLS16]:

I obtain ski? or skj? via rewinding to compute unique Ki?j?

I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)

Problem: ski? , skj? not unique

Observation: uniqueness of Ki?j? sufficient

I shared keys between valid public keys unique

I invalid public keys have no secret keys

Our metareduction:

I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?

I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)

15


[BJLS16]:







Our metareduction:



15


[BJLS16]:







Our metareduction:



15


[BJLS16]:







Our metareduction:



15


[BJLS16]:







Our metareduction:



15


[BJLS16]:







Our metareduction:



15


[BJLS16]:







Our metareduction:



15


[BJLS16]:







Our metareduction:


I reduction aborts on all runs without i? or on all runs without j?

⇒ loss of Ω(n)

15


[BJLS16]:







Our metareduction:



15

From passive to active security

Idea: add unbounded simulation sound NIZK proof of knowledge of secret key

I USS-NIZK allows to simulate during the reduction

I PoK allows to extract the secret key from corrupted users

Instantiation:

I generic instantiation from standard components

I optimized tightly secure instantiation for our NIKE

16

From passive to active security

Idea: add unbounded simulation sound NIZK proof of knowledge of secret key

I USS-NIZK allows to simulate during the reduction

I PoK allows to extract the secret key from corrupted users

Instantiation:

I generic instantiation from standard components

I optimized tightly secure instantiation for our NIKE

16

Our resultsReference |pk| sec. model sec. loss assumption uses

[DH76] 1×G passive n2 DDH -Ours 3×G passive n DDH -

[CKS08] 2×G active? 2 CDH ROM[FHKP13] 1× ZN active n2 factoring ROM[FHKP13] 2×G + 1× Zp active n2 DBDH pairingOurs 12×G active n DLIN pairing

*w/o extractionsModular constructions

New lower bound:I applies to all schemes where invalid public keys have no secret keysI yields a loss of Ω(n) for all simple black-box reductions

Generic transformation from passive to active secure NIKE Thank you!!

17

Bibliography IChristoph Bader, Tibor Jager, Yong Li, and Sven Schage. “On theImpossibility of Tight Cryptographic Reductions”. In:EUROCRYPT 2016, Part II. Ed. by Marc Fischlin andJean-Sebastien Coron. Vol. 9666. LNCS. Springer, Heidelberg, May 2016,pp. 273–304. doi: 10.1007/978-3-662-49896-5_10.

David Cash, Eike Kiltz, and Victor Shoup. “The Twin Diffie-HellmanProblem and Applications”. In: EUROCRYPT 2008. Ed. byNigel P. Smart. Vol. 4965. LNCS. Springer, Heidelberg, Apr. 2008,pp. 127–145.

Ronald Cramer and Victor Shoup. “A Practical Public Key CryptosystemProvably Secure Against Adaptive Chosen Ciphertext Attack”. In:CRYPTO’98. Ed. by Hugo Krawczyk. Vol. 1462. LNCS. Springer,Heidelberg, Aug. 1998, pp. 13–25.

18

http://dx.doi.org/10.1007/978-3-662-49896-5_10

Bibliography II

Whitfield Diffie and Martin E. Hellman. “New Directions inCryptography”. In: IEEE Transactions on Information Theory 22.6(1976), pp. 644–654.

Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz, andKenneth G. Paterson. “Non-Interactive Key Exchange”. In: PKC 2013.Ed. by Kaoru Kurosawa and Goichiro Hanaoka. Vol. 7778. LNCS. Springer,Heidelberg, 2013, pp. 254–271. doi: 10.1007/978-3-642-36362-7_17.

Rosario Gennaro and Yehuda Lindell. “A Framework for Password-BasedAuthenticated Key Exchange”. In: EUROCRYPT 2003. Ed. by Eli Biham.Vol. 2656. LNCS. http://eprint.iacr.org/2003/032.ps.gz.Springer, Heidelberg, May 2003, pp. 524–543.

19

http://dx.doi.org/10.1007/978-3-642-36362-7_17

http://eprint.iacr.org/2003/032.ps.gz

Bibliography III

Jonathan Katz, Rafail Ostrovsky, and Moti Yung. “EfficientPassword-Authenticated Key Exchange Using Human-MemorablePasswords”. In: EUROCRYPT 2001. Ed. by Birgit Pfitzmann. Vol. 2045.LNCS. Springer, Heidelberg, May 2001, pp. 475–494.

Eike Kiltz and Hoeteck Wee. “Quasi-Adaptive NIZK for Linear SubspacesRevisited”. In: EUROCRYPT 2015, Part II. Ed. by Elisabeth Oswald andMarc Fischlin. Vol. 9057. LNCS. Springer, Heidelberg, Apr. 2015,pp. 101–128. doi: 10.1007/978-3-662-46803-6_4.

20

http://dx.doi.org/10.1007/978-3-662-46803-6_4

On Tightly Secure Non-Interactive Key Exchange - IACR Crypto Tightly Secure Non-Interactive... · On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit

Documents