On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit¨ at Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1
Non-Interactive Key Exchange (NIKE) pk 1 , pk 2 (pk 1 , sk 1 ) ← KeyGen (pk 2 , sk 2 ) ← KeyGen K 21 = SharedKey (pk 2 , sk 1 ) = K 12 = SharedKey (pk 1 , sk 2 ) 2
Tight security Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. Advantage S · Advantage P ≤ L B (+ similar runtime) A ���� security loss ◮ Asymptotic security: L ≤ polynomial 3
Tight security Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. Advantage S · Advantage P ≤ L B (+ similar runtime) A ���� security loss ◮ Asymptotic security: L ≤ polynomial ◮ Tight security: L small (e.g. small constant) 3
Tight security Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. Advantage S · Advantage P ≤ L B (+ similar runtime) A ���� security loss ◮ Asymptotic security: L ≤ polynomial ◮ Tight security: L small (e.g. small constant) Why do we care? ◮ Theory: closer relation between P and S ◮ Practice: smaller keys ⇒ more efficient instantiations 3
Recap: Diffie-Hellman Key Exchange [DH76; CKS08] G group, � g � = G , p := | G | g a , g b a ← Z p b ← Z p = g ab = K 21 = ( g b ) a K 12 = ( g a ) b Decisional DH: a , b , c ← R Z p : ( g a , g b , g ab ) ≈ c ( g a , g b , g c ) 4
(Simplified) Security model pk 1 , · · · , pk n 5
(Simplified) Security model pk 1 , · · · , pk n 5
(Simplified) Security model pk 1 , · · · , pk n 5
(Simplified) Security of NIKE w/ extractions pk 1 , . . . , pk n (pk i , sk i ) ← KeyGen i ⋆ , j ⋆ b ← { 0 , 1 } K 0 ← SharedKey (pk i ⋆ , sk j ⋆ ) A K 1 random key { sk i } i / ∈{ i ⋆ , j ⋆ } , K b b ⋆ := | Pr[ b ⋆ = b ] − 1 / 2 | Advantage nike A 6
Recap: DH Key Exchange - Security w/ extractions Idea: i ⋆ , j ⋆ ← R { 1 , . . . , n } , embed DDH-challenge in pk i ⋆ , pk j ⋆ 7
Recap: DH Key Exchange - Security w/ extractions Idea: i ⋆ , j ⋆ ← R { 1 , . . . , n } , embed DDH-challenge in pk i ⋆ , pk j ⋆ � security loss of ≈ n 2 Reduction knows sk i Reduction doesn’t know sk i ∈ { i ⋆ , j ⋆ } i ∈ { i ⋆ , j ⋆ } i / 7
Recap: DH Key Exchange - Security w/ extractions Idea: i ⋆ , j ⋆ ← R { 1 , . . . , n } , embed DDH-challenge in pk i ⋆ , pk j ⋆ � security loss of ≈ n 2 Reduction knows sk i Reduction doesn’t know sk i ∈ { i ⋆ , j ⋆ } i ∈ { i ⋆ , j ⋆ } i / [BJLS16]: This loss is inherent! 7
Our results Can we do better? 8
Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). 8
Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). Can we do even better? 8
Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). Can we do even better? ◮ Seems hard! Lower bound of security loss n for broad class of NIKEs. 8
Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). Can we do even better? ◮ Seems hard! Lower bound of security loss n for broad class of NIKEs. + Generic transformation with tight instantiation: ◮ NIKE with passive security � NIKE with active security 8
The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions 9
The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ B A { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ 9
The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ B A sim A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ 9
The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) 9
The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort 9
The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy 9
The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy � ◮ ⇒ security loss of at least Ω( n 2 ) 9
The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions Reduction doesn’t know sk i pk 1 , . . . , pk n Instance of P i ∈ { i ⋆ , j ⋆ } i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy � ◮ ⇒ security loss of at least Ω( n 2 ) 9
The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions Reduction doesn’t know sk i pk 1 , . . . , pk n Instance of P i ∈ { i ⋆ , j ⋆ } i ⋆ , j ⋆ rewind B B A sim ⇒ has to abort on all runs � = ( i ⋆ , j ⋆ ) { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy � ◮ ⇒ security loss of at least Ω( n 2 ) 9
How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key 10
How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys 10
How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) 10
How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) 10
How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) ≈ c valid public keys invalid public keys 10
How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) ≈ c valid public keys invalid public keys ∀ (pk 1 , sk 1 ) , pk 2 : (pk 1 , pk 2 , SharedKey (pk 2 , sk 1 )) ≡ (pk 1 , pk 2 , random ) 10
How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) ≈ c valid public keys invalid public keys ∀ (pk 1 , sk 1 ) , pk 2 : (pk 1 , pk 2 , SharedKey (pk 2 , sk 1 )) ≡ (pk 1 , pk 2 , random ) Note: this requires entropy in sk 1 given pk 1 (and thus many secret keys)! 10
Recap: Subset membership problem (SMP) X set, L ⊆ X NP-language Subset membership assumption for ( X , L ): ≈ c { x | x ← R L } { x | x ← R X \ L }
Recommend
More recommend