Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, - PowerPoint PPT Presentation

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson PKC 2013 - Nara, Japan March 1, 2013

Non-Interactive Key Exchange Goal: Enabling two parties who know each other’s public key to agree on a symmetric shared key without requiring any interaction . Classical example: Diffie-Hellman Key Exchange Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Non-Interactive Key Exchange Goal: Enabling two parties who know each other’s public key to agree on a symmetric shared key without requiring any interaction . Classical example: Diffie-Hellman Key Exchange Let G be a group of prime order p with generator g . sk A : x ← Z p sk B : y ← Z p pk A : X = g x ∈ G pk B : Y = g y ∈ G K = X y = Y x = g xy Alice Bob Shared Key More properly, K = H (Alice , Bob , g xy ). Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Formal Definition of NIKE A NIKE scheme consists of 3 algorithms: CS , KG , SK We consider an identity space IDS and a shared key space SHK CS (1 k ) (Common Setup - run by a trusted authority) output: set of system parameters par KG ( par , ID) (Key Generation - run by any user) output: a pair of public key and private key ( pk , sk ) SK (ID 1 , pk 1 , ID 2 , sk 2 ) (Shared Key - run by any user) output: either a shared key K 1 , 2 ∈ SHK or ⊥ this algorithm is assumed to always output ⊥ if ID 1 = ID 2 Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Formal Definition of NIKE A NIKE scheme consists of 3 algorithms: CS , KG , SK We consider an identity space IDS and a shared key space SHK Identities are used to CS (1 k ) (Common Setup - run by a trusted authority) track which public keys output: set of system parameters par are associated with which users. KG ( par , ID) (Key Generation - run by any user) output: a pair of public key and private key ( pk , sk ) We are not in the SK (ID 1 , pk 1 , ID 2 , sk 2 ) (Shared Key - run by any user) identity-based setting! output: either a shared key K 1 , 2 ∈ SHK or ⊥ this algorithm is assumed to always output ⊥ if ID 1 = ID 2 Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Formal Definition of NIKE A NIKE scheme consists of 3 algorithms: CS , KG , SK We consider an identity space IDS and a shared key space SHK Identities are used to CS (1 k ) (Common Setup - run by a trusted authority) track which public keys output: set of system parameters par are associated with which users. KG ( par , ID) (Key Generation - run by any user) output: a pair of public key and private key ( pk , sk ) We are not in the SK (ID 1 , pk 1 , ID 2 , sk 2 ) (Shared Key - run by any user) identity-based setting! output: either a shared key K 1 , 2 ∈ SHK or ⊥ this algorithm is assumed to always output ⊥ if ID 1 = ID 2 Correctness requirement We require SK (ID 1 , pk 1 , ID 2 , sk 2 ) = SK (ID 2 , pk 2 , ID 1 , sk 1 ) for any pair of identities ID 1 , ID 2 and corresponding key pairs ( pk 1 , sk 1 ) and ( pk 2 , sk 2 ). Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Applications of NIKE wireless and sensor networks conserving battery is a prime concern energy cost of communication must be minimised minimising the number of bits to be transmitted is fundamental [C ¸apGoePatQuaTowZaf] 1. evaluate the energy costs of interactive and non-interactive key exchange 2. demonstrate that significant energy savings can be made by adopting a non-interactive approach deniable authentication [DodKatSmiWal09] explicitly requires a non-interactive key exchange basis for interactive key exchange [BoyMaoPat04] the shared key can be used in a MAC to authenticate an exchange of ephemeral Diffie-Hellman values non-interactive designated verifier signature schemes [JakSakImp96] again using the shared key in a MAC to authenticate messages Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Motivation Why should we study NIKE? NIKE is a fundamental cryptographic primitive, but has not received much attention 1976: major contribution in the ground-breaking paper of Diffie and Hellman 2008: [CasKilSho08] provides a basic security model for NIKE ( the CKS model ), analyses the Diffie-Hellman based scheme as well as a variant of it in the ROM 2000: [SakOhgKas00] provides an ID-based NIKE secure in the ROM Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Motivation In practice, the public keys will be certified, and consideration needs to be given to modelling the key registration process There are different possible security models for NIKE - with and without dishonest key registration (DKR) of public keys easy to get standard model security without DKR - does not reflect how CAs actually operate easy to get ROM security with DKR - e.g. Hashed Diffie-Hellman: K = H (Alice , Bob , g xy ) Challenge What about standard model security with DKR? coming next Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Contributions of this work new security models for NIKE we provide different security models for NIKE and explore the relationships between them we focus on adversarial key registration queries, which poses the main technical obstacle to achieve NIKE security we use as a starting point the CKS security model constructions for secure NIKE a provably secure NIKE scheme in the standard model (our main construction) - based on pairings a provably secure scheme under the factoring assumption in the ROM Challenge what about a factoring-based construction secure in the standard model? Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Contributions of this work new security models for NIKE we provide different security models for NIKE and explore the relationships between them we focus on adversarial key registration queries, which poses the main technical obstacle to achieve NIKE security we use as a starting point the CKS security model constructions for secure NIKE a provably secure NIKE scheme in the standard model (our main construction) - based on pairings reflects the technical chal- a provably secure scheme under the factoring assumption in the ROM lenge involved in achieving Challenge our DKR security notions what about a factoring-based construction secure in the standard model? we obtain such a scheme under the additional assumption that the adversary only registers valid public keys Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Contributions of this work new security models for NIKE we provide different security models for NIKE and explore the relationships between them we focus on adversarial key registration queries, which poses the main technical obstacle to achieve NIKE security we use as a starting point the CKS security model constructions for secure NIKE a provably secure NIKE scheme in the standard model (our main construction) - based on pairings reflects the technical chal- a provably secure scheme under the factoring assumption in the ROM lenge involved in achieving Challenge our DKR security notions what about a factoring-based construction secure in the standard model? we obtain such a scheme under the additional assumption that the adversary only registers valid public keys conversion from NIKE to KEM we show that a secure NIKE implies an IND-CCA secure PKE scheme Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Security Models The CKS security model Adversary A Challenger C par par ← CS (1 k ) b ← { 0 , 1 } Reg.Hon(ID) ( pk , sk ) ← KG ( par , ID) pk ( honest , ID , pk , sk ) Reg.Cor(ID , pk ) ( corrupt , ID , pk , ⊥ ) Corrupt Reveal(ID 1 , ID 2 ) K 1 , 2 ← SK (ID 1 , pk 1 , ID 2 , sk 2 ) K 1 , 2 � if b = 0 K A , B K ∗ = Test(ID A , ID B ) random if b = 1 K ∗ ˆ b Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Security Models The CKS security model Adversary A Challenger C par par ← CS (1 k ) � minimizes assump- tions about the CA b ← { 0 , 1 } Reg.Hon(ID) ( pk , sk ) ← KG ( par , ID) pk ( honest , ID , pk , sk ) Reg.Cor(ID , pk ) ( corrupt , ID , pk , ⊥ ) Corrupt Reveal(ID 1 , ID 2 ) K 1 , 2 ← SK (ID 1 , pk 1 , ID 2 , sk 2 ) K 1 , 2 � e if b = 0 m K A , B - d K ∗ = o Test(ID A , ID B ) s a s n t a i m f random if b = 1 o o K ∗ s ✗ e t i i i l b a y r a s r ˆ e b v Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Security Models The m-CKS-heavy security model Adversary A Challenger C Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson