Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, - - PowerPoint PPT Presentation

Non-Interactive Key Exchange

Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

PKC 2013 - Nara, Japan March 1, 2013

Non-Interactive Key Exchange

Goal: Enabling two parties who know each other’s public key to agree on a symmetric shared key without requiring any interaction. Classical example: Diffie-Hellman Key Exchange

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Non-Interactive Key Exchange

Goal: Enabling two parties who know each other’s public key to agree on a symmetric shared key without requiring any interaction. Classical example: Diffie-Hellman Key Exchange

Alice skA : x ← Zp pkA : X = gx ∈ G Bob skB : y ← Zp pkB : Y = gy ∈ G K = X y = Y x = gxy Shared Key Let G be a group of prime order p with generator g. More properly, K = H(Alice, Bob, gxy).

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Formal Definition of NIKE

A NIKE scheme consists of 3 algorithms: CS, KG, SK We consider an identity space IDS and a shared key space SHK CS(1k) (Common Setup - run by a trusted authority)

• utput: set of system parameters par

KG(par, ID) (Key Generation - run by any user)

• utput: a pair of public key and private key (pk, sk)

SK(ID1, pk1, ID2, sk2) (Shared Key - run by any user)

• utput: either a shared key K1,2 ∈ SHK or ⊥

this algorithm is assumed to always output ⊥ if ID1 = ID2

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Formal Definition of NIKE

A NIKE scheme consists of 3 algorithms: CS, KG, SK We consider an identity space IDS and a shared key space SHK CS(1k) (Common Setup - run by a trusted authority)

• utput: set of system parameters par

KG(par, ID) (Key Generation - run by any user)

• utput: a pair of public key and private key (pk, sk)

SK(ID1, pk1, ID2, sk2) (Shared Key - run by any user)

• utput: either a shared key K1,2 ∈ SHK or ⊥

this algorithm is assumed to always output ⊥ if ID1 = ID2

Identities are used to track which public keys are associated with which users. We are not in the identity-based setting!

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Formal Definition of NIKE

A NIKE scheme consists of 3 algorithms: CS, KG, SK We consider an identity space IDS and a shared key space SHK CS(1k) (Common Setup - run by a trusted authority)

• utput: set of system parameters par

KG(par, ID) (Key Generation - run by any user)

• utput: a pair of public key and private key (pk, sk)

SK(ID1, pk1, ID2, sk2) (Shared Key - run by any user)

• utput: either a shared key K1,2 ∈ SHK or ⊥

this algorithm is assumed to always output ⊥ if ID1 = ID2

Correctness requirement We require SK(ID1, pk1, ID2, sk2) = SK(ID2, pk2, ID1, sk1) for any pair of identities ID1, ID2 and corresponding key pairs (pk1, sk1) and (pk2, sk2).

Identities are used to track which public keys are associated with which users. We are not in the identity-based setting!

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Applications of NIKE

wireless and sensor networks

conserving battery is a prime concern

energy cost of communication must be minimised minimising the number of bits to be transmitted is fundamental [C ¸apGoePatQuaTowZaf] 1. evaluate the energy costs of interactive and non-interactive key exchange 2. demonstrate that significant energy savings can be made by adopting a non-interactive approach

deniable authentication

[DodKatSmiWal09] explicitly requires a non-interactive key exchange

basis for interactive key exchange

[BoyMaoPat04] the shared key can be used in a MAC to authenticate an exchange of ephemeral Diffie-Hellman values

non-interactive designated verifier signature schemes

[JakSakImp96] again using the shared key in a MAC to authenticate messages

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Motivation

Why should we study NIKE? NIKE is a fundamental cryptographic primitive, but has not received much attention

1976: major contribution in the ground-breaking paper of Diffie and Hellman 2008: [CasKilSho08] provides a basic security model for NIKE (the CKS model), analyses the Diffie-Hellman based scheme as well as a variant of it in the ROM 2000: [SakOhgKas00] provides an ID-based NIKE secure in the ROM

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Motivation

In practice, the public keys will be certified, and consideration needs to be given to modelling the key registration process There are different possible security models for NIKE - with and without dishonest key registration (DKR) of public keys

easy to get standard model security without DKR - does not reflect how CAs actually operate easy to get ROM security with DKR - e.g. Hashed Diffie-Hellman: K = H(Alice, Bob, g xy)

Challenge

What about standard model security with DKR?

coming next

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Contributions of this work

new security models for NIKE

we provide different security models for NIKE and explore the relationships between them

we focus on adversarial key registration queries, which poses the main technical obstacle to achieve NIKE security we use as a starting point the CKS security model

constructions for secure NIKE

a provably secure NIKE scheme in the standard model (our main construction) - based on pairings a provably secure scheme under the factoring assumption in the ROM Challenge

what about a factoring-based construction secure in the standard model?

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Contributions of this work

new security models for NIKE

we provide different security models for NIKE and explore the relationships between them

we focus on adversarial key registration queries, which poses the main technical obstacle to achieve NIKE security we use as a starting point the CKS security model

constructions for secure NIKE

a provably secure NIKE scheme in the standard model (our main construction) - based on pairings a provably secure scheme under the factoring assumption in the ROM Challenge

what about a factoring-based construction secure in the standard model? we obtain such a scheme under the additional assumption that the adversary only registers valid public keys

reflects the technical chal- lenge involved in achieving

• ur DKR security notions

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Contributions of this work

new security models for NIKE

we provide different security models for NIKE and explore the relationships between them

we focus on adversarial key registration queries, which poses the main technical obstacle to achieve NIKE security we use as a starting point the CKS security model

constructions for secure NIKE

a provably secure NIKE scheme in the standard model (our main construction) - based on pairings a provably secure scheme under the factoring assumption in the ROM Challenge

what about a factoring-based construction secure in the standard model? we obtain such a scheme under the additional assumption that the adversary only registers valid public keys

conversion from NIKE to KEM

we show that a secure NIKE implies an IND-CCA secure PKE scheme

reflects the technical chal- lenge involved in achieving

• ur DKR security notions

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Security Models

The CKS security model

Adversary A Challenger C

par pk K1,2 K ∗ ˆ b Reg.Hon(ID) Reg.Cor(ID, pk) Corrupt Reveal(ID1, ID2) Test(IDA, IDB) par ← CS(1k) b ← {0, 1} (pk, sk) ← KG(par, ID) K1,2 ← SK(ID1, pk1, ID2, sk2) (honest, ID, pk, sk) (corrupt, ID, pk, ⊥) K ∗ =

• KA,B

if b = 0 random if b = 1

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Security Models

The CKS security model

Adversary A Challenger C

par pk K1,2 K ∗ ˆ b Reg.Hon(ID) Reg.Cor(ID, pk) Corrupt Reveal(ID1, ID2) Test(IDA, IDB) par ← CS(1k) b ← {0, 1} (pk, sk) ← KG(par, ID) K1,2 ← SK(ID1, pk1, ID2, sk2) (honest, ID, pk, sk) (corrupt, ID, pk, ⊥) K ∗ =

• KA,B

if b = 0 random if b = 1

minimizes assump- tions about the CA ✗

• m

i t s s

• m

e a b i l i t i e s

• f

a n a d

• v

e r s a r y

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Security Models

The m-CKS-heavy security model

Adversary A Challenger C

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Security Models

The m-CKS-heavy security model

Adversary A Challenger C

par pk sk K1,2 K ∗ ˆ b Reg.Hon(ID) Reg.Cor(ID, pk) Extract(ID) Honest/ Corrupt Reveal(ID1, ID2) Test(IDA, IDB) par ← CS(1k) b ← {0, 1} (pk, sk) ← KG(par, ID) K1,2 ← SK(ID1, pk1, ID2, sk2) (honest, ID, pk, sk) (corrupt, ID, pk, ⊥) (honest, ID, pk, sk) K ∗ =

• KA,B

if b = 0 random if b = 1

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Security Models

The m-CKS-heavy security model

Adversary A Challenger C

par pk sk K1,2 K ∗ ˆ b Reg.Hon(ID) Reg.Cor(ID, pk) Extract(ID) Honest/ Corrupt Reveal(ID1, ID2) Test(IDA, IDB) par ← CS(1k) b ← {0, 1} (pk, sk) ← KG(par, ID) K1,2 ← SK(ID1, pk1, ID2, sk2) (honest, ID, pk, sk) (corrupt, ID, pk, ⊥) (honest, ID, pk, sk) K ∗ =

• KA,B

if b = 0 random if b = 1

Queries may be made adaptively and are arbitrary in number.

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Security Models

The m-CKS-heavy security model

Adversary A Challenger C

par pk sk K1,2 K ∗ ˆ b Reg.Hon(ID) Reg.Cor(ID, pk) Extract(ID) ID = IDA, IDB Honest/ Corrupt Reveal(ID1, ID2) {ID1, ID2} = {IDA, IDB} Test(IDA, IDB) par ← CS(1k) b ← {0, 1} (pk, sk) ← KG(par, ID) K1,2 ← SK(ID1, pk1, ID2, sk2) (honest, ID, pk, sk) (corrupt, ID, pk, ⊥) (honest, ID, pk, sk) K ∗ =

• KA,B

if b = 0 random if b = 1

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Security Models and Their Relationships

Sec.Model Reg.Hon. Reg.Cor. Extract Hon.Reveal Cor.Reveal Test CKS-light 2

• ✗

✗

• 1

CKS

• ✗

✗

• CKS-heavy
• 1

m-CKS-heavy

• CKS-light

CKS CKS-heavy m-CKS-heavy

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Security Models and Their Relationships

Sec.Model Reg.Hon. Reg.Cor. Extract Hon.Reveal Cor.Reveal Test CKS-light 2

• ✗

✗

• 1

CKS

• ✗

✗

• CKS-heavy
• 1

m-CKS-heavy

• CKS-light

CKS-light is the simplest security model! CKS-light CKS CKS-heavy m-CKS-heavy

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the Standard Model from Pairings - NIKEdbdh-2

Ingredients Programmable Hash Function - PHF [HofKil08] Chameleon Hash Function - ChamH [KraRab00]

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the Standard Model from Pairings - NIKEdbdh-2

Ingredients Programmable Hash Function - PHF [HofKil08]

used to employ partitioning techniques (can be instantiated in the standard model) maps a bitstring X to a group element PHF(X) a trapdoor allows to decompose PHF(X) = g aX hbX for chosen g and h a PHF is (m, n)-programmable, if for all X1, . . . , Xm = Z1, . . . , Zn

Pr[aXi = 0 ∧ aZj = 0] is significant

Chameleon Hash Function - ChamH [KraRab00]

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the Standard Model from Pairings - NIKEdbdh-2

Ingredients Programmable Hash Function - PHF [HofKil08]

used to employ partitioning techniques (can be instantiated in the standard model) maps a bitstring X to a group element PHF(X) a trapdoor allows to decompose PHF(X) = g aX hbX for chosen g and h a PHF is (m, n)-programmable, if for all X1, . . . , Xm = Z1, . . . , Zn

Pr[aXi = 0 ∧ aZj = 0] is significant

Chameleon Hash Function - ChamH [KraRab00]

PHF(Xi) = hbXi PHF(Zj) = g

aZj h bZj Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the Standard Model from Pairings - NIKEdbdh-2

Ingredients Programmable Hash Function - PHF [HofKil08]

used to employ partitioning techniques (can be instantiated in the standard model) maps a bitstring X to a group element PHF(X) a trapdoor allows to decompose PHF(X) = g aX hbX for chosen g and h a PHF is (m, n)-programmable, if for all X1, . . . , Xm = Z1, . . . , Zn

Pr[aXi = 0 ∧ aZj = 0] is significant

Chameleon Hash Function - ChamH [KraRab00]

collision-resistant

hard to find (m1, r1) = (m2, r2) such that ChamH(m1, r1) = ChamH(m2, r2)

trapdoor collisions

given any pair (m1, r1) and a message m2, it is possible to find r2 (with use of a trapdoor ck) such that ChamH(m1, r1) = ChamH(m2, r2)

there exists: DL and RSA-based realizations

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the Standard Model from Pairings - NIKEdbdh-2

Component algorithms of NIKEdbdh-2 CS(1k)

PG2 = (G1, G2, GT, g1, g2, p, e, ψ) ← G2(1k) u0, u1, u2, S ← G∗

1; hk, ck ← Cham.KG(1k)

par ← (PG2, u0, u1, u2, S, hk) Return par

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the Standard Model from Pairings - NIKEdbdh-2

Component algorithms of NIKEdbdh-2 CS(1k)

PG2 = (G1, G2, GT, g1, g2, p, e, ψ) ← G2(1k) u0, u1, u2, S ← G∗

1; hk, ck ← Cham.KG(1k)

par ← (PG2, u0, u1, u2, S, hk) Return par

KG(par, ID)

x ← Zp; r ← RCham; Z ← g x

2

t ← ChamHhk(Z||ID, r); Y ← u0ut

1u2t2; X ← Y x

pk ← (X, Z, r); sk ← x Return (pk, sk)

Chameleon hash function weak(2,poly)-PHF

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the Standard Model from Pairings - NIKEdbdh-2

Component algorithms of NIKEdbdh-2 CS(1k)

PG2 = (G1, G2, GT, g1, g2, p, e, ψ) ← G2(1k) u0, u1, u2, S ← G∗

1; hk, ck ← Cham.KG(1k)

par ← (PG2, u0, u1, u2, S, hk) Return par

KG(par, ID)

x ← Zp; r ← RCham; Z ← g x

2

t ← ChamHhk(Z||ID, r); Y ← u0ut

1u2t2; X ← Y x

pk ← (X, Z, r); sk ← x Return (pk, sk)

SK(ID1, pk1, ID2, sk2)

If ID1 = ID2 return ⊥; Parse pk1 as (X1, Z1, r1) and sk2 as x2 t1 ← ChamHhk(Z1||ID1, r1) If e(X1, g2) = e(u0ut1

1 u2t1

2, Z1)

then K1,2 ←⊥ else K1,2 ← e(Sx2, Z1)

Return K1,2

Chameleon hash function weak(2,poly)-PHF validity check

• f public key

Correctness: e(Sx2, Z1) = e(S, g2)x1x2

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the Standard Model from Pairings - NIKEdbdh-2

Component algorithms of NIKEdbdh-2 CS(1k)

PG2 = (G1, G2, GT, g1, g2, p, e, ψ) ← G2(1k) u0, u1, u2, S ← G∗

1; hk, ck ← Cham.KG(1k)

par ← (PG2, u0, u1, u2, S, hk) Return par

KG(par, ID)

x ← Zp; r ← RCham; Z ← g x

2

t ← ChamHhk(Z||ID, r); Y ← u0ut

1u2t2; X ← Y x

pk ← (X, Z, r); sk ← x Return (pk, sk)

SK(ID1, pk1, ID2, sk2)

If ID1 = ID2 return ⊥; Parse pk1 as (X1, Z1, r1) and sk2 as x2 t1 ← ChamHhk(Z1||ID1, r1) If e(X1, g2) = e(u0ut1

1 u2t1

2, Z1)

then K1,2 ←⊥ else K1,2 ← e(Sx2, Z1)

Return K1,2

Security: DBDH-2 assumption DBDH-2 assumption: Given (ga

2, gb 2 , gc 1 , T),

decide whether

• r not

T = e(g1, g2)abc.

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Conclusion

Our contributions new security models for NIKE

we provided new security models for NIKE and showed that they are all polynomially equivalent to one another and to the original CKS model

constructions for secure NIKE

we gave constructions for secure NIKE in the ROM and in the standard model (under the challenging security notions with DKR)

conversion from NIKE to KEM

we showed that a secure NIKE implies an IND-CCA secure PKE scheme (showing the fundamental utility of NIKE)

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Conclusion

Our contributions new security models for NIKE

we provided new security models for NIKE and showed that they are all polynomially equivalent to one another and to the original CKS model

constructions for secure NIKE

we gave constructions for secure NIKE in the ROM and in the standard model (under the challenging security notions with DKR)

conversion from NIKE to KEM

we showed that a secure NIKE implies an IND-CCA secure PKE scheme (showing the fundamental utility of NIKE)

Open problems construct pairing-free NIKE schemes secure in the standard model construct ID-based NIKE schemes secure in the standard model consider three-party NIKE schemes based on Joux’s protocol

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Bibliography

[CasKilSho08] The twin Diffie-Hellman problem and applications. Cash, Kiltz and Shoup - Eurocrypt [SakOhgKas00] Cryptosystems based on pairing. Sakai, Ohgishi and Kasahara - SCIS [HofKil08] Programmable hash functions and their applications. Hofheinz, Kiltz - CRYPTO [KraRab00] Chameleon hash functions. Krawcykz, Rabin - NDSS [C ¸apGoePatQuaTowZaf] Signal-flow-based analysis of wireless security protocols. C ¸apar, Goeckel, Paterson, Quaglia, Towsley, Zafer

• Information and Computation (to appear)

[DodKatSmiWal09] Composability and on-line deniability of

• authentication. Dodis, Katz, Smith and Walfish - TCC

[BoyMaoPat04] Key agreement using statically keyed authenticators. Boyd, Mao and Paterson - ACNS [JakSakImp96] Designated verifier proofs and their applications. Jakobsson, Sako and Impagliazzo - Eurocrypt

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Thank you for your attention!

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the ROM from Factoring - NIKEfac

Hashed Diffie-Hellman in the group of signed quadratic residues CS(1k)

(N, P, Q) ← RSAgen(1k) g ← QR+

N, where g = QR+ N

par ← (H, N, g) Return par

KG(par, ID)

x ← Z⌊N/4⌋; X ← g x pk ← X; sk ← x Return (pk, sk)

SK(ID1, pk1, ID2, sk2)

If (ID1 = ID2) or pk1 ∈ QR+

N or pk2 ∈ QR+ N return ⊥

else if

ID1 < ID2 return H(ID1, ID2, pk1

sk2)

ID2 < ID1 return H(ID2, ID1, pk1

sk2)

{|x| : x ∈ QRN}, where |x| is the abs. value when representing ele- ments of ZN as the set {−(N−1)/2, . . . , (N−1)/2}

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the ROM from Factoring - NIKEfac

Hashed Diffie-Hellman in the group of signed quadratic residues CS(1k)

(N, P, Q) ← RSAgen(1k) g ← QR+

N, where g = QR+ N

par ← (H, N, g) Return par

KG(par, ID)

x ← Z⌊N/4⌋; X ← g x pk ← X; sk ← x Return (pk, sk)

SK(ID1, pk1, ID2, sk2)

If (ID1 = ID2) or pk1 ∈ QR+

N or pk2 ∈ QR+ N return ⊥

else if

ID1 < ID2 return H(ID1, ID2, pk1

sk2)

ID2 < ID1 return H(ID2, ID1, pk1

sk2)

Security: factoring assumption N = PQ is a Blum integer. factoring ⇒ double SDH

{|x| : x ∈ QRN}, where |x| is the abs. value when representing ele- ments of ZN as the set {−(N−1)/2, . . . , (N−1)/2}

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the Standard Model from Factoring* - NIKEfac-int

* with interactive key registration. CS(1k)

(N, P, Q) ← RSAgen(1k) g, u0, u1, u2 ← QR+

N, where g = QR+ N

hk, ck ← Cham.KG(1k); par ← (N, g, u0, u1, u2, hk) Return par

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the Standard Model from Factoring* - NIKEfac-int

* with interactive key registration. CS(1k)

(N, P, Q) ← RSAgen(1k) g, u0, u1, u2 ← QR+

N, where g = QR+ N

hk, ck ← Cham.KG(1k); par ← (N, g, u0, u1, u2, hk) Return par

KG(par, ID)

x ← Z⌊N/4⌋; r ← RCham; Z ← g x·23k t ← ChamHhk(Z||ID, r); Y ← u0ut

1u2t2; X ← Y x

pk ← (Z, X, r); sk ← x Return (pk, sk)

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the Standard Model from Factoring* - NIKEfac-int

* with interactive key registration. CS(1k)

(N, P, Q) ← RSAgen(1k) g, u0, u1, u2 ← QR+

N, where g = QR+ N

hk, ck ← Cham.KG(1k); par ← (N, g, u0, u1, u2, hk) Return par

KG(par, ID)

x ← Z⌊N/4⌋; r ← RCham; Z ← g x·23k t ← ChamHhk(Z||ID, r); Y ← u0ut

1u2t2; X ← Y x

pk ← (Z, X, r); sk ← x Return (pk, sk)

SK(ID1, pk1, ID2, sk2)

If (ID1 = ID2) or pk1 ∈ QR+

N × QR+ N × RCham or

sk2 ∈ Z⌊N/4⌋ return ⊥ Parse pk1 =: (Z1, X1, r1) and sk2 =: x2 Return BBSN(Z x2·22k

1

)

Correctness: Z x2·22k

1

= gx1·x2·25k = Z x1·22k

2 Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

NIKE in the Standard Model from Factoring* - NIKEfac-int

* with interactive key registration. CS(1k)

(N, P, Q) ← RSAgen(1k) g, u0, u1, u2 ← QR+

N, where g = QR+ N

hk, ck ← Cham.KG(1k); par ← (N, g, u0, u1, u2, hk) Return par

KG(par, ID)

x ← Z⌊N/4⌋; r ← RCham; Z ← g x·23k t ← ChamHhk(Z||ID, r); Y ← u0ut

1u2t2; X ← Y x

pk ← (Z, X, r); sk ← x Return (pk, sk)

SK(ID1, pk1, ID2, sk2)

If (ID1 = ID2) or pk1 ∈ QR+

N × QR+ N × RCham or

sk2 ∈ Z⌊N/4⌋ return ⊥ Parse pk1 =: (Z1, X1, r1) and sk2 =: x2 Return BBSN(Z x2·22k

1

)

Security: factoring assumption*

*the key registra- tion process must ensure that only consistent keys are registered, e.g., by having the user prove consistency in zero-knowledge

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Key Encapsulation Mechanism - KEM

A KEM consists of 3 algorithms: KEM.KeyGen, Enc, Dec KEM.KeyGen(1k) (a key generation algorithm)

• utput: a pair of public key and private key (pkKEM, skKEM)

Enc(pkKEM) (a key encapsulation algorithm)

• utput: an encapsulation key pair (K, C), where C is the encapsulation
• f key K

Dec(skKEM, C) (a decapsulation algorithm)

• utput: either the corresponding key K or an invalid encapsulation

symbol ⊥

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

Key Encapsulation Mechanism - KEM

A KEM consists of 3 algorithms: KEM.KeyGen, Enc, Dec KEM.KeyGen(1k) (a key generation algorithm)

• utput: a pair of public key and private key (pkKEM, skKEM)

Enc(pkKEM) (a key encapsulation algorithm)

• utput: an encapsulation key pair (K, C), where C is the encapsulation
• f key K

Dec(skKEM, C) (a decapsulation algorithm)

• utput: either the corresponding key K or an invalid encapsulation

symbol ⊥

One-Time Signatures (OTS): OTS = (OTSKeyGen, OTSSign, OTSVfy) (vk, sigk) ← OTSKeyGen(1k) σ ← OTSSign(sigk, m) reject or acept ← OTSVfy(vk, m, σ) Strong OTS: Given (m, σ), it is infeasible to ouput (m′, σ′) for which σ′ is a valid signature on m′

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

IND-CCA KEM from CKS-secure NIKE - KEM(NIKE, OTS)

KEM.KeyGen(1k)

par ← CS(1k); ID ← IDS (pk, sk) ← KG(par, ID) Output (pkKEM = (par, ID, pk), skKEM = (ID, sk))

Enc(pkKEM)

Parse pkKEM as (par, ID, pk) (vk, sigk) ← OTSKeyGen(1k) with vk = ID (pk′, sk′) ← KG(par, ID′ = vk); σ ← OTSSign(sigk, pk′) K ← SK(ID, pk, ID′ = vk, sk′) Output (K, C = (vk, pk′, σ))

Dec(skKEM, C)

Parse C as (vk, pk′, σ) and skKEM as (ID, sk) Run OTSVfy(vk, pk′, σ) and output

⊥ if the output is reject or if vk = ID SK(ID′ = vk, pk′, ID, sk)

randomly generated key pair for NIKE OTS binds pk′ to ID′ ciphertext: randomly generated public key pk′ shared key computed from sk and pk′

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson

More Efficient NIKE to KEM Conversion

In the full version of our paper, we also provide a NIKE-KEM conversion that starts with a secure NIKE satisfying a simplified definition and produces an IND-CCA secure KEM without using OTS.

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson