on tightly secure non interactive key exchange
play

On Tightly Secure Non-Interactive Key Exchange Julia Hesse - PowerPoint PPT Presentation

May 16, 2023 •292 likes •884 views

On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit at Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1 Non-Interactive Key Exchange (NIKE) pk 1 , pk

  1. On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit¨ at Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1

  2. Non-Interactive Key Exchange (NIKE) pk 1 , pk 2 (pk 1 , sk 1 ) ← KeyGen (pk 2 , sk 2 ) ← KeyGen K 21 = SharedKey (pk 2 , sk 1 ) = K 12 = SharedKey (pk 1 , sk 2 ) 2

  3. Tight security Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. Advantage S · Advantage P ≤ L B (+ similar runtime) A ���� security loss ◮ Asymptotic security: L ≤ polynomial 3

  4. Tight security Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. Advantage S · Advantage P ≤ L B (+ similar runtime) A ���� security loss ◮ Asymptotic security: L ≤ polynomial ◮ Tight security: L small (e.g. small constant) 3

  5. Tight security Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. Advantage S · Advantage P ≤ L B (+ similar runtime) A ���� security loss ◮ Asymptotic security: L ≤ polynomial ◮ Tight security: L small (e.g. small constant) Why do we care? ◮ Theory: closer relation between P and S ◮ Practice: smaller keys ⇒ more efficient instantiations 3

  6. Recap: Diffie-Hellman Key Exchange [DH76; CKS08] G group, � g � = G , p := | G | g a , g b a ← Z p b ← Z p = g ab = K 21 = ( g b ) a K 12 = ( g a ) b Decisional DH: a , b , c ← R Z p : ( g a , g b , g ab ) ≈ c ( g a , g b , g c ) 4

  7. (Simplified) Security model pk 1 , · · · , pk n 5

  8. (Simplified) Security model pk 1 , · · · , pk n 5

  9. (Simplified) Security model pk 1 , · · · , pk n 5

  10. (Simplified) Security of NIKE w/ extractions pk 1 , . . . , pk n (pk i , sk i ) ← KeyGen i ⋆ , j ⋆ b ← { 0 , 1 } K 0 ← SharedKey (pk i ⋆ , sk j ⋆ ) A K 1 random key { sk i } i / ∈{ i ⋆ , j ⋆ } , K b b ⋆ := | Pr[ b ⋆ = b ] − 1 / 2 | Advantage nike A 6

  11. Recap: DH Key Exchange - Security w/ extractions Idea: i ⋆ , j ⋆ ← R { 1 , . . . , n } , embed DDH-challenge in pk i ⋆ , pk j ⋆ 7

  12. Recap: DH Key Exchange - Security w/ extractions Idea: i ⋆ , j ⋆ ← R { 1 , . . . , n } , embed DDH-challenge in pk i ⋆ , pk j ⋆ � security loss of ≈ n 2 Reduction knows sk i Reduction doesn’t know sk i ∈ { i ⋆ , j ⋆ } i ∈ { i ⋆ , j ⋆ } i / 7

  13. Recap: DH Key Exchange - Security w/ extractions Idea: i ⋆ , j ⋆ ← R { 1 , . . . , n } , embed DDH-challenge in pk i ⋆ , pk j ⋆ � security loss of ≈ n 2 Reduction knows sk i Reduction doesn’t know sk i ∈ { i ⋆ , j ⋆ } i ∈ { i ⋆ , j ⋆ } i / [BJLS16]: This loss is inherent! 7

  14. Our results Can we do better? 8

  15. Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). 8

  16. Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). Can we do even better? 8

  17. Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). Can we do even better? ◮ Seems hard! Lower bound of security loss n for broad class of NIKEs. 8

  18. Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). Can we do even better? ◮ Seems hard! Lower bound of security loss n for broad class of NIKEs. + Generic transformation with tight instantiation: ◮ NIKE with passive security � NIKE with active security 8

  19. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions 9

  20. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ B A { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ 9

  21. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ B A sim A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ 9

  22. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) 9

  23. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort 9

  24. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy 9

  25. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy � ◮ ⇒ security loss of at least Ω( n 2 ) 9

  26. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions Reduction doesn’t know sk i pk 1 , . . . , pk n Instance of P i ∈ { i ⋆ , j ⋆ } i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy � ◮ ⇒ security loss of at least Ω( n 2 ) 9

  27. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions Reduction doesn’t know sk i pk 1 , . . . , pk n Instance of P i ∈ { i ⋆ , j ⋆ } i ⋆ , j ⋆ rewind B B A sim ⇒ has to abort on all runs � = ( i ⋆ , j ⋆ ) { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy � ◮ ⇒ security loss of at least Ω( n 2 ) 9

  28. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key 10

  29. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys 10

  30. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) 10

  31. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) 10

  32. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) ≈ c valid public keys invalid public keys 10

  33. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) ≈ c valid public keys invalid public keys ∀ (pk 1 , sk 1 ) , pk 2 : (pk 1 , pk 2 , SharedKey (pk 2 , sk 1 )) ≡ (pk 1 , pk 2 , random ) 10

  34. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) ≈ c valid public keys invalid public keys ∀ (pk 1 , sk 1 ) , pk 2 : (pk 1 , pk 2 , SharedKey (pk 2 , sk 1 )) ≡ (pk 1 , pk 2 , random ) Note: this requires entropy in sk 1 given pk 1 (and thus many secret keys)! 10

  35. Recap: Subset membership problem (SMP) X set, L ⊆ X NP-language Subset membership assumption for ( X , L ): ≈ c { x | x ← R L } { x | x ← R X \ L }

Recommend

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen 1 Tibor Jager 2 NTNU - Norwegian University of Science and Technology, Trondheim, Norway, kristian.gjosteen@ntnu.no Paderborn University, Paderborn,

360 views • 34 slides
Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis Ho<einz and Tibor Jager Karlsruhe Ins,tute of Technology CRYPTO 2012 1 Tight

477 views • 15 slides
Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung

Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung

Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung Chan (CityU) Joint work with Navin Kashyap (IISc), Praneeth Kumar Vippathalla, (IISc) and Qiaoqiao Zhou (CUHK) Audio slides:

443 views • 17 slides
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis Hofheinz 2 Lisa Kohl 2 Jiaxin Pan 2 1 ENS Paris, France 2 Karlsruhe Institute of Technology, Germany R. Gay, D. Hofheinz, L. Kohl, J. Pan More Efficient

827 views • 45 slides
Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1

Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1

Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1 , Saqib A. Kakvi 2 , Eike Kiltz 2 , Jiaxin Pan 2 1 University of Limoges, France 2 Ruhr University Bochum, Germany Keywords 1. Signatures 2. Tight

725 views • 44 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and Neil Brinkley Background The MRA and SPAA require that Suppliers and Networks Operators work together to resolve a number of issues that may arise

975 views • 28 slides
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G.

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G.

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson PKC 2013 - Nara, Japan March 1, 2013 Non-Interactive Key Exchange Goal: Enabling two parties who know each others public key to agree on

588 views • 42 slides
MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Training Webinar Shane

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Training Webinar Shane

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Training Webinar Shane Denny and Alessandro Scarlatti Background The majority of communications in the Electricity and Gas Market are managed by sending Data Flows

293 views • 15 slides
PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable

PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable

PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable health information among stakeholders and regional networks Vision to develop a framework for the efficient exchange of patient-centric health

478 views • 21 slides
Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek

Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek

Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek Jain (UCLA) (JHU) Rafail Ostrovsky Ivan Visconti (UCLA) (University of Salerno) Secure Two Party Computation Function f Input x Input y P 2 P 1

443 views • 21 slides
Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Introduction Contributions Conclusion Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J. Rangasamy * D. Stebila * C. Boyd * J.M. Gonzlez Nieto * * Information Security Institute Queensland

943 views • 22 slides
Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party

Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party

Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party Computation 2 1 (, ) Secure Two-Party Computation 2 1 (, ) Non-Interactive Secure

2.32k views • 48 slides
Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben Hamouda Olivier Blazy Cline Chevalier David Pointcheval Damien Vergnaud Horst Grtz Institute for IT Security / Ruhr-University Bochum ENS /

914 views • 45 slides
http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups

http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups

CS224W: Social and Information Network Analysis Jure Leskovec Stanford University Jure Leskovec, Stanford University http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups Network communities: Sets of

351 views • 34 slides
Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng

Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng

Strongly Secure One-Round GAKE Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng Yang Ruhr-University Bochum CANS 2013 1 / 40 Introduction, Motivation and Contributions GAKE Security Model

515 views • 50 slides
SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATS

SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATS

SECURING SECURE SHELL INTERACTIVE AND AUTOMATED ACCESS MANAGEMENT AGAINST INSIDER THREATS Applying Due Care Via Common Sense Approach April 2017 100% 46% Ponemon 2014 SSH Security Vulnerability of 2000 Global do not Organizations Report

307 views • 29 slides
Reusable Non-Interactive Secure Computation Melissa Chase (MSR Redmond) Yevgeniy Dodis (NYU)

Reusable Non-Interactive Secure Computation Melissa Chase (MSR Redmond) Yevgeniy Dodis (NYU)

Reusable Non-Interactive Secure Computation Melissa Chase (MSR Redmond) Yevgeniy Dodis (NYU) Yuval Ishai (Technion) Daniel Kraschewski (TNG Technology Consulting) Tianren Liu (MIT UW) Rafail Ostrovsky (UCLA) Vinod Vaikuntanathan

1.31k views • 109 slides
New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem

New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem

New Impossibility Results for Concurrent Composition and a Non-Interactive Completeness Theorem for Secure Computation Abishek Kumarasubramanian Secure Computation [Yao,GMW] Security guarantee only Corrupted party learns no when protocol runs

369 views • 16 slides
Closing the Loop : Creating an Interactive Materials Exchange in Tennessee Sustainable Industry

Closing the Loop : Creating an Interactive Materials Exchange in Tennessee Sustainable Industry

Closing the Loop : Creating an Interactive Materials Exchange in Tennessee Sustainable Industry Workshops 2017 Circular Economy: What does it mean? A 2016 online survey of sustainability professionals conducted by Green Biz Magazine reveals

520 views • 33 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
for cryptocurrency and blockchain assets. With our unique exchange facility we offer: Secure &

for cryptocurrency and blockchain assets. With our unique exchange facility we offer: Secure &

Gatecoin is the bridge between the legacy financial system and blockchain Gatecoin is a regulated online trading platform for cryptocurrency and blockchain assets. With our unique exchange facility we offer: Secure & compliant trading

505 views • 6 slides
Ontology Based Information Exchange Management Ontology Based Information Exchange Management

Ontology Based Information Exchange Management Ontology Based Information Exchange Management

Ontology Based Information Exchange Management Ontology Based Information Exchange Management System for Secure Coalition Interoperability System for Secure Coalition Interoperability 21 May 2008 21 May 2008 AFCEA-GMU Critical Issues in

549 views • 32 slides
Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory Jean-Christophe Deneuville < jean-christophe.deneuville@xlim.fr > June the 26 th , 2017 PQCrypto 17 Utrecht Joint work with: P. Gaborit G. Z

1.54k views • 84 slides

More recommend