on tightly secure non interactive key exchange
play

On Tightly Secure Non-Interactive Key Exchange Julia Hesse - PowerPoint PPT Presentation

May 16, 2023 •292 likes •884 views

On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit at Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1 Non-Interactive Key Exchange (NIKE) pk 1 , pk

  1. On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universit¨ at Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1

  2. Non-Interactive Key Exchange (NIKE) pk 1 , pk 2 (pk 1 , sk 1 ) ← KeyGen (pk 2 , sk 2 ) ← KeyGen K 21 = SharedKey (pk 2 , sk 1 ) = K 12 = SharedKey (pk 1 , sk 2 ) 2

  3. Tight security Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. Advantage S · Advantage P ≤ L B (+ similar runtime) A ���� security loss ◮ Asymptotic security: L ≤ polynomial 3

  4. Tight security Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. Advantage S · Advantage P ≤ L B (+ similar runtime) A ���� security loss ◮ Asymptotic security: L ≤ polynomial ◮ Tight security: L small (e.g. small constant) 3

  5. Tight security Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. Advantage S · Advantage P ≤ L B (+ similar runtime) A ���� security loss ◮ Asymptotic security: L ≤ polynomial ◮ Tight security: L small (e.g. small constant) Why do we care? ◮ Theory: closer relation between P and S ◮ Practice: smaller keys ⇒ more efficient instantiations 3

  6. Recap: Diffie-Hellman Key Exchange [DH76; CKS08] G group, � g � = G , p := | G | g a , g b a ← Z p b ← Z p = g ab = K 21 = ( g b ) a K 12 = ( g a ) b Decisional DH: a , b , c ← R Z p : ( g a , g b , g ab ) ≈ c ( g a , g b , g c ) 4

  7. (Simplified) Security model pk 1 , · · · , pk n 5

  8. (Simplified) Security model pk 1 , · · · , pk n 5

  9. (Simplified) Security model pk 1 , · · · , pk n 5

  10. (Simplified) Security of NIKE w/ extractions pk 1 , . . . , pk n (pk i , sk i ) ← KeyGen i ⋆ , j ⋆ b ← { 0 , 1 } K 0 ← SharedKey (pk i ⋆ , sk j ⋆ ) A K 1 random key { sk i } i / ∈{ i ⋆ , j ⋆ } , K b b ⋆ := | Pr[ b ⋆ = b ] − 1 / 2 | Advantage nike A 6

  11. Recap: DH Key Exchange - Security w/ extractions Idea: i ⋆ , j ⋆ ← R { 1 , . . . , n } , embed DDH-challenge in pk i ⋆ , pk j ⋆ 7

  12. Recap: DH Key Exchange - Security w/ extractions Idea: i ⋆ , j ⋆ ← R { 1 , . . . , n } , embed DDH-challenge in pk i ⋆ , pk j ⋆ � security loss of ≈ n 2 Reduction knows sk i Reduction doesn’t know sk i ∈ { i ⋆ , j ⋆ } i ∈ { i ⋆ , j ⋆ } i / 7

  13. Recap: DH Key Exchange - Security w/ extractions Idea: i ⋆ , j ⋆ ← R { 1 , . . . , n } , embed DDH-challenge in pk i ⋆ , pk j ⋆ � security loss of ≈ n 2 Reduction knows sk i Reduction doesn’t know sk i ∈ { i ⋆ , j ⋆ } i ∈ { i ⋆ , j ⋆ } i / [BJLS16]: This loss is inherent! 7

  14. Our results Can we do better? 8

  15. Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). 8

  16. Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). Can we do even better? 8

  17. Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). Can we do even better? ◮ Seems hard! Lower bound of security loss n for broad class of NIKEs. 8

  18. Our results Can we do better? ◮ Yes! First NIKE with security loss n (in the standard model). Can we do even better? ◮ Seems hard! Lower bound of security loss n for broad class of NIKEs. + Generic transformation with tight instantiation: ◮ NIKE with passive security � NIKE with active security 8

  19. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions 9

  20. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ B A { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ 9

  21. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ B A sim A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ 9

  22. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) 9

  23. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort 9

  24. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy 9

  25. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions pk 1 , . . . , pk n Instance of P i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy � ◮ ⇒ security loss of at least Ω( n 2 ) 9

  26. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions Reduction doesn’t know sk i pk 1 , . . . , pk n Instance of P i ∈ { i ⋆ , j ⋆ } i ⋆ , j ⋆ rewind B B A sim { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy � ◮ ⇒ security loss of at least Ω( n 2 ) 9

  27. The lower bound of [BJLS16] ◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions Reduction doesn’t know sk i pk 1 , . . . , pk n Instance of P i ∈ { i ⋆ , j ⋆ } i ⋆ , j ⋆ rewind B B A sim ⇒ has to abort on all runs � = ( i ⋆ , j ⋆ ) { sk i } i / ∈{ i ⋆ , j ⋆ } , K b Solution to P b ⋆ Metareduction Λ ◮ Idea: simulate A by computing K i ⋆ j ⋆ with extracted sk j ⋆ (or sk i ⋆ ) ◮ ∃ run � = ( i ⋆ , j ⋆ ) on which B does not abort ⇒ problem P easy � ◮ ⇒ security loss of at least Ω( n 2 ) 9

  28. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key 10

  29. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys 10

  30. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) 10

  31. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) 10

  32. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) ≈ c valid public keys invalid public keys 10

  33. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) ≈ c valid public keys invalid public keys ∀ (pk 1 , sk 1 ) , pk 2 : (pk 1 , pk 2 , SharedKey (pk 2 , sk 1 )) ≡ (pk 1 , pk 2 , random ) 10

  34. How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀ (pk 1 , sk 1 ) , (pk 2 , sk 2 ): SharedKey (pk 2 , sk 1 ) = SharedKey (pk 1 , sk 2 ) Solution: invalid public keys (w/o secret keys) ≈ c valid public keys invalid public keys ∀ (pk 1 , sk 1 ) , pk 2 : (pk 1 , pk 2 , SharedKey (pk 2 , sk 1 )) ≡ (pk 1 , pk 2 , random ) Note: this requires entropy in sk 1 given pk 1 (and thus many secret keys)! 10

  35. Recap: Subset membership problem (SMP) X set, L ⊆ X NP-language Subset membership assumption for ( X , L ): ≈ c { x | x ← R L } { x | x ← R X \ L }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen 1 Tibor Jager 2 NTNU - Norwegian University of Science and Technology, Trondheim, Norway, kristian.gjosteen@ntnu.no Paderborn University, Paderborn,

360 views • 34 slides
Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis

Tightly Secure Signatures and Public-Key Encryp8on Dennis Ho<einz and Tibor Jager Karlsruhe Ins,tute of Technology CRYPTO 2012 1 Tight

477 views • 15 slides
Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung

Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung

Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung Chan (CityU) Joint work with Navin Kashyap (IISc), Praneeth Kumar Vippathalla, (IISc) and Qiaoqiao Zhou (CUHK) Audio slides:

443 views • 17 slides
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis Hofheinz 2 Lisa Kohl 2 Jiaxin Pan 2 1 ENS Paris, France 2 Karlsruhe Institute of Technology, Germany R. Gay, D. Hofheinz, L. Kohl, J. Pan More Efficient

827 views • 45 slides
Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1

Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1

Tightly-Secure Signatures from Chameleon Hash Functions NIST, Maryland , PKC 2015 Olivier Blazy 1 , Saqib A. Kakvi 2 , Eike Kiltz 2 , Jiaxin Pan 2 1 University of Limoges, France 2 Ruhr University Bochum, Germany Keywords 1. Signatures 2. Tight

725 views • 44 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and Neil Brinkley Background The MRA and SPAA require that Suppliers and Networks Operators work together to resolve a number of issues that may arise

975 views • 28 slides
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G.

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G.

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson PKC 2013 - Nara, Japan March 1, 2013 Non-Interactive Key Exchange Goal: Enabling two parties who know each others public key to agree on

588 views • 42 slides
MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Training Webinar Shane

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Training Webinar Shane

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Training Webinar Shane Denny and Alessandro Scarlatti Background The majority of communications in the Electricity and Gas Market are managed by sending Data Flows

293 views • 15 slides
PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable

PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable

PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable health information among stakeholders and regional networks Vision to develop a framework for the efficient exchange of patient-centric health

478 views • 21 slides
Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek

Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek

Non-Interactive Secure Computation from One-Way Functions Saikrishna Badrinarayanan Abhishek Jain (UCLA) (JHU) Rafail Ostrovsky Ivan Visconti (UCLA) (University of Salerno) Secure Two Party Computation Function f Input x Input y P 2 P 1

443 views • 21 slides
Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Introduction Contributions Conclusion Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J. Rangasamy * D. Stebila * C. Boyd * J.M. Gonzlez Nieto * * Information Security Institute Queensland

943 views • 22 slides
Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party

Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party

Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party Computation 2 1 (, ) Secure Two-Party Computation 2 1 (, ) Non-Interactive Secure

2.32k views • 48 slides
Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben Hamouda Olivier Blazy Cline Chevalier David Pointcheval Damien Vergnaud Horst Grtz Institute for IT Security / Ruhr-University Bochum ENS /

914 views • 45 slides
http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups

http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups

CS224W: Social and Information Network Analysis Jure Leskovec Stanford University Jure Leskovec, Stanford University http://cs224w.stanford.edu Networks of tightly Networks of tightly connected groups Network communities: Sets of

351 views • 34 slides
Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng

Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng

Strongly Secure One-Round GAKE Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng Yang Ruhr-University Bochum CANS 2013 1 / 40 Introduction, Motivation and Contributions GAKE Security Model

515 views • 50 slides
Inheritance Ch 15.1-15.2 Highlights - Creating parent/child classes (inheritance) Story time

Inheritance Ch 15.1-15.2 Highlights - Creating parent/child classes (inheritance) Story time

Inheritance Ch 15.1-15.2 Highlights - Creating parent/child classes (inheritance) Story time Story time Story time Story time Story time Derived classes Let's make this story into code! To create create a child class from a parent class,

348 views • 17 slides
Welcome to CSSE 220 We are excited that you are here: Start your computer and get ready for

Welcome to CSSE 220 We are excited that you are here: Start your computer and get ready for

Welcome to CSSE 220 We are excited that you are here: Start your computer and get ready for our first class session If you havent followed the instructions in the email I sent last night, please do that now Pick up a quiz from

397 views • 20 slides
Academic Senate Meeting 9-15-20 El Camino College Welcome New 2020-2021 Academic Senate Reps!

Academic Senate Meeting 9-15-20 El Camino College Welcome New 2020-2021 Academic Senate Reps!

Academic Senate Meeting 9-15-20 El Camino College Welcome New 2020-2021 Academic Senate Reps! Susana Acosta Faculty, Mathematical Sciences Division What is one thing you are looking forward to in your Senate role? I look forward to being

317 views • 29 slides
Prospects for InJo in Mexico Jorge Zavala Jorge.zavala@techba.com 1 Where we are TechBA

Prospects for InJo in Mexico Jorge Zavala Jorge.zavala@techba.com 1 Where we are TechBA

Prospects for InJo in Mexico Jorge Zavala Jorge.zavala@techba.com 1 Where we are TechBA as an innovation The reason with the promoter www.techba.com country 3rd Mexico Technology Innovation to grow Showcase

389 views • 8 slides
BiANE: Bipartite Attributed Network Embedding 1 2 2 1 3 Wentao Huang, Yuchen Li, Yuan Fang,

BiANE: Bipartite Attributed Network Embedding 1 2 2 1 3 Wentao Huang, Yuchen Li, Yuan Fang,

BiANE: Bipartite Attributed Network Embedding 1 2 2 1 3 Wentao Huang, Yuchen Li, Yuan Fang, Ju Fan, Hongxia Yang 1 School of Information, Renmin University of China 2 School of Information System, Singapore Management University 3 Damo

496 views • 36 slides
On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea

On Adaptive Attacks against Jao-Urbaniks Isogeny-Based Protocol Africacrypt, July 2020 Andrea Basso 1 , P eter Kutas 1 , Simon-Philipp Merz 2 , Christophe Petit 1 , Charlotte Weitk amper 1 University of Birmingham, UK Royal Holloway,

575 views • 19 slides
Peter Bromberg Executive Director, Salt Lake City Public Library Peter Bromberg and Marilee Moon

Peter Bromberg Executive Director, Salt Lake City Public Library Peter Bromberg and Marilee Moon

Marilee Moon Assistant Director of Customer Experience, Salt Lake City Public Library Peter Bromberg Executive Director, Salt Lake City Public Library Peter Bromberg and Marilee Moon Salt Lake City Public Library pbromberg@slcpl.org |

781 views • 77 slides
Doing Good and Doing Well: B-Corp & GGOB Jess Craft, Managing Director Anne-Claire Broughton,

Doing Good and Doing Well: B-Corp & GGOB Jess Craft, Managing Director Anne-Claire Broughton,

Doing Good and Doing Well: B-Corp & GGOB Jess Craft, Managing Director Anne-Claire Broughton, Principal Spencer Williams, CEO, Owner The Black Sheep Agency Broughton Consulting, LLC West Paw Houston, TX Durham, NC Bozeman, MT What is a

429 views • 21 slides

More recommend