on tightly secure non interactive key exchange
play

On Tightly Secure Non-Interactive Key Exchange Julia Hesse - PowerPoint PPT Presentation

On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit at Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1 Non-Interactive Key Exchange (NIKE) pk 1 , pk


  1. On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit¨ at Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1

  2. Non-Interactive Key Exchange (NIKE) pk 1 , pk 2 (pk 1 , sk 1 ) ← KeyGen (pk 2 , sk 2 ) ← KeyGen K 21 = SharedKey (pk 2 , sk 1 ) = K 12 = SharedKey (pk 1 , sk 2 ) 2

  3. Tight security Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. Advantage S · Advantage P ≤ L B (+ similar runtime) A ���� security loss ◮ Asymptotic security: L ≤ polynomial 3

  4. Tight security Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. Advantage S · Advantage P ≤ L B (+ similar runtime) A ���� security loss ◮ Asymptotic security: L ≤ polynomial ◮ Tight security: L small (e.g. small constant) 3

  5. Tight security Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. Advantage S · Advantage P ≤ L B (+ similar runtime) A ���� security loss ◮ Asymptotic security: L ≤ polynomial ◮ Tight security: L small (e.g. small constant) Why do we care? ◮ Theory: closer relation between P and S ◮ Practice: smaller keys ⇒ more efficient instantiations 3

  6. Recap: Diffie-Hellman Key Exchange [DH76; CKS08] G group, � g � = G , p := | G | g a , g b a ← Z p b ← Z p = g ab = K 21 = ( g b ) a K 12 = ( g a ) b Decisional DH: a , b , c ← R Z p : ( g a , g b , g ab ) ≈ c ( g a , g b , g c ) 4

  7. (Simplified) Security model pk 1 , · · · , pk n 5

  8. (Simplified) Security model pk 1 , · · · , pk n 5

  9. (Simplified) Security model pk 1 , · · · , pk n 5

  10. (Simplified) Security of NIKE w/ extractions pk 1 , . . . , pk n (pk i , sk i ) ← KeyGen i ⋆ , j ⋆ b ← { 0 , 1 } K 0 ← SharedKey (pk i ⋆ , sk j ⋆ ) A K 1 random key { sk i } i / ∈{ i ⋆ , j ⋆ } , K b b ⋆ := | Pr[ b ⋆ = b ] − 1 / 2 | Advantage nike A 6

  11. Recap: DH Key Exchange - Security w/ extractions Idea: i ⋆ , j ⋆ ← R { 1 , . . . , n } , embed DDH-challenge in pk i ⋆ , pk j ⋆ 7

  12. Recap: DH Key Exchange - Security w/ extractions Idea: i ⋆ , j ⋆ ← R { 1 , . . . , n } , embed DDH-challenge in pk i ⋆ , pk j ⋆ � security loss of ≈ n 2 Reduction knows sk i Reduction doesn’t know sk i ∈ { i ⋆ , j ⋆ } i ∈ { i ⋆ , j ⋆ } i / 7

  13. Recap: DH Key Exchange - Security w/ extractions Idea: i ⋆ , j ⋆ ← R { 1 , . . . , n } , embed DDH-challenge in pk i ⋆ , pk j ⋆ � security loss of ≈ n 2 Reduction knows sk i Reduction doesn’t know sk i ∈ { i ⋆ , j ⋆ } i ∈ { i ⋆ , j ⋆ } i / [BJLS16]: This loss is inherent! 7

  14. Our results Can we do better? 8

  15. Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). 8

  16. Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). Can we do even better? 8

  17. Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). Can we do even better? ◮ Seems hard! Lower bound of security loss n for broad class of NIKEs. 8

  18. Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). Can we do even better? ◮ Seems hard! Lower bound of security loss n for broad class of NIKEs. + Generic transformation with tight instantiation: ◮ NIKE with passive security � NIKE with active security 8

  19. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions 9

  20. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ B A { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ 9

  21. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ B A sim A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ 9

  22. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) 9

  23. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort 9

  24. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy 9

  25. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy � ◮ ⇒ security loss of at least Ω( n 2 ) 9

  26. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions Reduction doesn’t know sk i pk 1 , . . . , pk n Instance of P i ∈ { i ⋆ , j ⋆ } i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy � ◮ ⇒ security loss of at least Ω( n 2 ) 9

  27. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions Reduction doesn’t know sk i pk 1 , . . . , pk n Instance of P i ∈ { i ⋆ , j ⋆ } i ⋆ , j ⋆ rewind B B A sim ⇒ has to abort on all runs � = ( i ⋆ , j ⋆ ) { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy � ◮ ⇒ security loss of at least Ω( n 2 ) 9

  28. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key 10

  29. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys 10

  30. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) 10

  31. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) 10

  32. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) ≈ c valid public keys invalid public keys 10

  33. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) ≈ c valid public keys invalid public keys ∀ (pk 1 , sk 1 ) , pk 2 : (pk 1 , pk 2 , SharedKey (pk 2 , sk 1 )) ≡ (pk 1 , pk 2 , random ) 10

  34. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) ≈ c valid public keys invalid public keys ∀ (pk 1 , sk 1 ) , pk 2 : (pk 1 , pk 2 , SharedKey (pk 2 , sk 1 )) ≡ (pk 1 , pk 2 , random ) Note: this requires entropy in sk 1 given pk 1 (and thus many secret keys)! 10

  35. Recap: Subset membership problem (SMP) X set, L ⊆ X NP-language Subset membership assumption for ( X , L ): ≈ c { x | x ← R L } { x | x ← R X \ L }

Recommend


More recommend