Post on 26-Jun-2020
On Tightly Secure Non-Interactive Key Exchange
Julia Hesse (Technische Universitat Darmstadt)Dennis Hofheinz (Karlsruhe Institute of Technology)Lisa Kohl (Karlsruhe Institute of Technology)
1
Non-Interactive Key Exchange (NIKE)
(pk1, sk1)← KeyGen
K21 = SharedKey(pk2, sk1)
(pk2, sk2)← KeyGen
K12 = SharedKey(pk1, sk2)
pk1, pk2
=
2
Tight security
Scheme S secure if problem P hard:
A attacks S =⇒ B attacks P s.t.
AdvantageSA ≤ L︸︷︷︸security loss
· AdvantagePB (+ similar runtime)
I Asymptotic security: L ≤ polynomial
I Tight security: L small (e.g. small constant)
Why do we care?
I Theory: closer relation between P and SI Practice: smaller keys ⇒ more efficient instantiations
3
Tight security
Scheme S secure if problem P hard:
A attacks S =⇒ B attacks P s.t.
AdvantageSA ≤ L︸︷︷︸security loss
· AdvantagePB (+ similar runtime)
I Asymptotic security: L ≤ polynomial
I Tight security: L small (e.g. small constant)
Why do we care?
I Theory: closer relation between P and SI Practice: smaller keys ⇒ more efficient instantiations
3
Tight security
Scheme S secure if problem P hard:
A attacks S =⇒ B attacks P s.t.
AdvantageSA ≤ L︸︷︷︸security loss
· AdvantagePB (+ similar runtime)
I Asymptotic security: L ≤ polynomial
I Tight security: L small (e.g. small constant)
Why do we care?
I Theory: closer relation between P and SI Practice: smaller keys ⇒ more efficient instantiations
3
Recap: Diffie-Hellman Key Exchange[DH76; CKS08]G group, 〈g〉 = G, p := |G|
a← Zp
K21 = (gb)a
b ← Zp
K12 = (ga)b
ga, gb
= gab =
Decisional DH: a, b, c ←R Zp: (ga, gb, gab) ≈c (ga, gb, g c)4
(Simplified) Security model
pk1, · · · , pkn
5
(Simplified) Security model
pk1, · · · , pkn
5
(Simplified) Security model
pk1, · · · , pkn
5
(Simplified) Security of NIKE w/ extractions
b?
A
pk1, . . . , pkn(pki , ski )← KeyGen
i?, j?
skii /∈i?,j?,Kb
b ← 0, 1K0 ← SharedKey(pki? , skj?)K1 random key
AdvantagenikeA := |Pr[b? = b]− 1/2|
6
Recap: DH Key Exchange - Security w/ extractions
Idea: i?, j? ←R 1, . . . , n, embed DDH-challenge in pki? , pkj?
security loss of ≈ n2
Reduction doesn’t know ski
Reduction knows ski
i ∈ i?, j?i /∈ i?, j?
[BJLS16]: This loss is inherent!
7
Recap: DH Key Exchange - Security w/ extractions
Idea: i?, j? ←R 1, . . . , n, embed DDH-challenge in pki? , pkj?
security loss of ≈ n2
Reduction doesn’t know skiReduction knows ski
i ∈ i?, j?i /∈ i?, j?
[BJLS16]: This loss is inherent!
7
Recap: DH Key Exchange - Security w/ extractions
Idea: i?, j? ←R 1, . . . , n, embed DDH-challenge in pki? , pkj?
security loss of ≈ n2
Reduction doesn’t know skiReduction knows ski
i ∈ i?, j?i /∈ i?, j?
[BJLS16]: This loss is inherent!
7
Our results
Can we do better?
I Yes! First NIKE with security loss n (in the standard model).
Can we do even better?
I Seems hard! Lower bound of security loss n for broad class of NIKEs.
+ Generic transformation with tight instantiation:
I NIKE with passive security NIKE with active security
8
Our results
Can we do better?
I Yes! First NIKE with security loss n (in the standard model).
Can we do even better?
I Seems hard! Lower bound of security loss n for broad class of NIKEs.
+ Generic transformation with tight instantiation:
I NIKE with passive security NIKE with active security
8
Our results
Can we do better?
I Yes! First NIKE with security loss n (in the standard model).
Can we do even better?
I Seems hard! Lower bound of security loss n for broad class of NIKEs.
+ Generic transformation with tight instantiation:
I NIKE with passive security NIKE with active security
8
Our results
Can we do better?
I Yes! First NIKE with security loss n (in the standard model).
Can we do even better?
I Seems hard! Lower bound of security loss n for broad class of NIKEs.
+ Generic transformation with tight instantiation:
I NIKE with passive security NIKE with active security
8
Our results
Can we do better?
I Yes! First NIKE with security loss n (in the standard model).
Can we do even better?
I Seems hard! Lower bound of security loss n for broad class of NIKEs.
+ Generic transformation with tight instantiation:
I NIKE with passive security NIKE with active security
8
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?rewindrewind
b?
b?
Metareduction Λ
A
simA
sim
A
sim
BB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j?
with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort
⇒ problem P easy E
I ⇒ security loss of at least Ω(n2)
9
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?rewindrewind
b?
b?
Metareduction Λ
A
simA
sim
A
sim
BB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j?
with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort
⇒ problem P easy E
I ⇒ security loss of at least Ω(n2)
9
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?rewindrewind
b?
b?
Metareduction Λ
AsimAsim
Asim
BB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kb
skii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j?
with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort
⇒ problem P easy E
I ⇒ security loss of at least Ω(n2)
9
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?
rewind
rewind
b?
b?
Metareduction Λ
AsimAsim
AsimBB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
skii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)
I ∃ run 6= (i?, j?) on which B does not abort
⇒ problem P easy E
I ⇒ security loss of at least Ω(n2)
9
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?rewind
rewind
b?
b?
Metareduction Λ
AsimAsim
AsimBB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort
⇒ problem P easy EI ⇒ security loss of at least Ω(n2)
9
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?rewind
rewind
b?
b?
Metareduction Λ
AsimAsim
AsimBB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort ⇒ problem P easy
EI ⇒ security loss of at least Ω(n2)
9
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?rewind
rewind
b?
b?
Metareduction Λ
AsimAsim
AsimBB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort ⇒ problem P easy EI ⇒ security loss of at least Ω(n2)
9
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?
rewind
rewind
b?
b?
Metareduction Λ
AsimAsim
AsimBB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort ⇒ problem P easy EI ⇒ security loss of at least Ω(n2)
9
The lower bound of [BJLS16]
I applies to all NIKEs w/ unique secret keys
I rules out tight simple black-box reductions
⇒ has to abort on all runs 6= (i?, j?)
Reduction doesn’t know ski
i ∈ i?, j?
rewind
rewind
b?
b?
Metareduction Λ
AsimAsim
AsimBB
pk1, . . . , pknInstance of P
Solution to P
i?, j?
skii /∈i?,j?,Kb
skii /∈i?,j?,Kbskii /∈i?,j?,Kb
I Idea: simulate A by computing Ki?j? with extracted skj? (or ski?)I ∃ run 6= (i?, j?) on which B does not abort ⇒ problem P easy EI ⇒ security loss of at least Ω(n2)
9
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
How to circumvent the lower bound of [BJLS16]?
Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key
Our scheme: public keys have many secret keys
Not enough! By correctness:
∀(pk1, sk1), (pk2, sk2) : SharedKey(pk2, sk1) = SharedKey(pk1, sk2)
Solution: invalid public keys (w/o secret keys)
≈c invalid public keysvalid public keys
∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)
Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!
10
Recap: Subset membership problem (SMP)
X set, L ⊆ X NP-language
Subset membership assumption for (X , L):
≈c x | x ←R X \ Lx | x ←R L
≈c invalid public keysvalid public keys
11
Recap: Subset membership problem (SMP)
X set, L ⊆ X NP-language
Subset membership assumption for (X , L):
≈c x | x ←R X \ Lx | x ←R L
≈c invalid public keysvalid public keys
11
Recap: Hash proof system[CS98]
HPS = (Gen, PubEval, PrivEval) is HPS for language L if:
PubEval(hpk, x ,w)
PrivEval(hsk , x)
return the same key K for all x ∈ L with witness w
Universality: ∀x /∈ L, (hpk, hsk )← Gen:
(hpk, x , PrivEval(hsk , x)) ≡ (hpk, x , random)
12
Our NIKEVariation of the PAKE of [KOY01; GL03]
HPS = (Gen, PubEval, PrivEval) for L, SMP for L ⊆ X hard
Note:I hsk not unique
I can switch x to X\L
x1 ← L with witness w1
(hpk1, hsk1)← Gen
K21 = PubEval(hpk2, x1,w1)
x2 ← L with witness w2
(hpk2, hsk2)← Gen
K12 = PrivEval(hsk2, x1)
(hpk1,
x1
)
,
(
hpk2
, x2)
=
13
Our NIKEVariation of the PAKE of [KOY01; GL03]
HPS = (Gen, PubEval, PrivEval) for L, SMP for L ⊆ X hard
Note:I hsk not unique
I can switch x to X\L
x1 ← L with witness w1
(hpk1, hsk1)← Gen
K21 = PubEval(hpk2, x1,w1)
x2 ← L with witness w2
(hpk2, hsk2)← Gen
K12 = PrivEval(hsk2, x1)
(hpk1, x1), (hpk2, x2)
=
13
Our NIKEVariation of the PAKE of [KOY01; GL03]
HPS = (Gen, PubEval, PrivEval) for L, SMP for L ⊆ X hard
Note:I hsk not unique
I can switch x to X\L
x1 ← L with witness w1
(hpk1, hsk1)← Gen
K21 = PubEval(hpk2, x1,w1)
x2 ← L with witness w2
(hpk2, hsk2)← Gen
K12 = PrivEval(hsk2, x1)
(hpk1, x1), (hpk2, x2)
=
13
Proof of Security - Idea
Idea: i? ←R 1, . . . , n, embed SMP-challenge as xi? in pki?
∀j > i? : Ki?j = PrivEval(hsk j , xi?)
≈ random if xi? ∈ X\L and hsk j unknown
security loss of only n
Reduction doesn’t know skiReduction knows ski
i = i?i 6= i?
14
Proof of Security - Idea
Idea: i? ←R 1, . . . , n, embed SMP-challenge as xi? in pki?
∀j > i? : Ki?j = PrivEval(hsk j , xi?)
≈ random if xi? ∈ X\L and hsk j unknown
security loss of only n
Reduction doesn’t know skiReduction knows ski
i = i?i 6= i?
14
Proof of Security - Idea
Idea: i? ←R 1, . . . , n, embed SMP-challenge as xi? in pki?
∀j > i? : Ki?j = PrivEval(hsk j , xi?)
≈ random if xi? ∈ X\L and hsk j unknown
security loss of only n
Reduction doesn’t know skiReduction knows ski
i = i?i 6= i?
14
Proof of Security - Idea
Idea: i? ←R 1, . . . , n, embed SMP-challenge as xi? in pki?
∀j > i? : Ki?j = PrivEval(hsk j , xi?)
≈ random if xi? ∈ X\L and hsk j unknown
security loss of only n
Reduction doesn’t know skiReduction knows ski
i = i?i 6= i?
14
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j?
⇒ loss of Ω(n)
15
Towards a new lower bound
[BJLS16]:
I obtain ski? or skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? and all runs without j? ⇒ loss of Ω(n2)
Problem: ski? , skj? not unique
Observation: uniqueness of Ki?j? sufficient
I shared keys between valid public keys unique
I invalid public keys have no secret keys
Our metareduction:
I Idea: obtain ski? and skj? via rewinding to compute unique Ki?j?
I reduction aborts on all runs without i? or on all runs without j? ⇒ loss of Ω(n)
15
From passive to active security
Idea: add unbounded simulation sound NIZK proof of knowledge of secret key
I USS-NIZK allows to simulate during the reduction
I PoK allows to extract the secret key from corrupted users
Instantiation:
I generic instantiation from standard components
I optimized tightly secure instantiation for our NIKE
16
From passive to active security
Idea: add unbounded simulation sound NIZK proof of knowledge of secret key
I USS-NIZK allows to simulate during the reduction
I PoK allows to extract the secret key from corrupted users
Instantiation:
I generic instantiation from standard components
I optimized tightly secure instantiation for our NIKE
16
Our resultsReference |pk| sec. model sec. loss assumption uses
[DH76] 1×G passive n2 DDH -Ours 3×G passive n DDH -
[CKS08] 2×G active? 2 CDH ROM[FHKP13] 1× ZN active n2 factoring ROM[FHKP13] 2×G + 1× Zp active n2 DBDH pairingOurs 12×G active n DLIN pairing
*w/o extractionsModular constructions
New lower bound:I applies to all schemes where invalid public keys have no secret keysI yields a loss of Ω(n) for all simple black-box reductions
Generic transformation from passive to active secure NIKE Thank you!!
17
Bibliography IChristoph Bader, Tibor Jager, Yong Li, and Sven Schage. “On theImpossibility of Tight Cryptographic Reductions”. In:EUROCRYPT 2016, Part II. Ed. by Marc Fischlin andJean-Sebastien Coron. Vol. 9666. LNCS. Springer, Heidelberg, May 2016,pp. 273–304. doi: 10.1007/978-3-662-49896-5_10.
David Cash, Eike Kiltz, and Victor Shoup. “The Twin Diffie-HellmanProblem and Applications”. In: EUROCRYPT 2008. Ed. byNigel P. Smart. Vol. 4965. LNCS. Springer, Heidelberg, Apr. 2008,pp. 127–145.
Ronald Cramer and Victor Shoup. “A Practical Public Key CryptosystemProvably Secure Against Adaptive Chosen Ciphertext Attack”. In:CRYPTO’98. Ed. by Hugo Krawczyk. Vol. 1462. LNCS. Springer,Heidelberg, Aug. 1998, pp. 13–25.
18
Bibliography II
Whitfield Diffie and Martin E. Hellman. “New Directions inCryptography”. In: IEEE Transactions on Information Theory 22.6(1976), pp. 644–654.
Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz, andKenneth G. Paterson. “Non-Interactive Key Exchange”. In: PKC 2013.Ed. by Kaoru Kurosawa and Goichiro Hanaoka. Vol. 7778. LNCS. Springer,Heidelberg, 2013, pp. 254–271. doi: 10.1007/978-3-642-36362-7_17.
Rosario Gennaro and Yehuda Lindell. “A Framework for Password-BasedAuthenticated Key Exchange”. In: EUROCRYPT 2003. Ed. by Eli Biham.Vol. 2656. LNCS. http://eprint.iacr.org/2003/032.ps.gz.Springer, Heidelberg, May 2003, pp. 524–543.
19
Bibliography III
Jonathan Katz, Rafail Ostrovsky, and Moti Yung. “EfficientPassword-Authenticated Key Exchange Using Human-MemorablePasswords”. In: EUROCRYPT 2001. Ed. by Birgit Pfitzmann. Vol. 2045.LNCS. Springer, Heidelberg, May 2001, pp. 475–494.
Eike Kiltz and Hoeteck Wee. “Quasi-Adaptive NIZK for Linear SubspacesRevisited”. In: EUROCRYPT 2015, Part II. Ed. by Elisabeth Oswald andMarc Fischlin. Vol. 9057. LNCS. Springer, Heidelberg, Apr. 2015,pp. 101–128. doi: 10.1007/978-3-662-46803-6_4.
20