On Tightly Secure Non-Interactive Key Exchange Julia Hesse - - PowerPoint PPT Presentation

On Tightly Secure Non-Interactive Key Exchange

Julia Hesse (Technische Universit¨ at Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology)

1

Non-Interactive Key Exchange (NIKE)

(pk1, sk1) ← KeyGen K21 = SharedKey(pk2, sk1) (pk2, sk2) ← KeyGen K12 = SharedKey(pk1, sk2) pk1, pk2 =

2

Tight security

Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. AdvantageS

A

≤ L

• security loss

· AdvantageP

B (+ similar runtime) ◮ Asymptotic security: L ≤ polynomial

3

Tight security

Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. AdvantageS

A

≤ L

• security loss

· AdvantageP

B (+ similar runtime) ◮ Asymptotic security: L ≤ polynomial ◮ Tight security: L small (e.g. small constant)

3

Tight security

Scheme S secure if problem P hard: A attacks S = ⇒ B attacks P s.t. AdvantageS

A

≤ L

• security loss

· AdvantageP

B (+ similar runtime) ◮ Asymptotic security: L ≤ polynomial ◮ Tight security: L small (e.g. small constant)

Why do we care?

◮ Theory: closer relation between P and S ◮ Practice: smaller keys ⇒ more efficient instantiations

3

Recap: Diffie-Hellman Key Exchange

[DH76; CKS08] G group, g = G, p := |G| a ← Zp K21 = (gb)a b ← Zp K12 = (ga)b ga, gb = gab = Decisional DH: a, b, c ←R Zp: (ga, gb, gab) ≈c (ga, gb, gc)

4

(Simplified) Security model

pk1, · · · , pkn

5

(Simplified) Security model

pk1, · · · , pkn

5

(Simplified) Security model

pk1, · · · , pkn

5

(Simplified) Security of NIKE w/ extractions

b⋆ A pk1, . . . , pkn (pki, ski) ← KeyGen i⋆, j⋆ {ski}i /

∈{i⋆,j⋆}, Kb

b ← {0, 1} K0 ← SharedKey(pki⋆, skj⋆) K1 random key Advantagenike

A

:= | Pr[b⋆ = b] − 1/2|

6

Recap: DH Key Exchange - Security w/ extractions

Idea: i⋆, j⋆ ←R {1, . . . , n}, embed DDH-challenge in pki⋆, pkj⋆

7

Recap: DH Key Exchange - Security w/ extractions

Idea: i⋆, j⋆ ←R {1, . . . , n}, embed DDH-challenge in pki⋆, pkj⋆ security loss of ≈ n2 Reduction doesn’t know ski Reduction knows ski i ∈ {i⋆, j⋆} i / ∈ {i⋆, j⋆}

7

Recap: DH Key Exchange - Security w/ extractions

Idea: i⋆, j⋆ ←R {1, . . . , n}, embed DDH-challenge in pki⋆, pkj⋆ security loss of ≈ n2 Reduction doesn’t know ski Reduction knows ski i ∈ {i⋆, j⋆} i / ∈ {i⋆, j⋆} [BJLS16]: This loss is inherent!

7

Our results

Can we do better?

8

Our results

Can we do better?

◮ Yes! First NIKE with security loss n (in the standard model).

8

Our results

Can we do better?

◮ Yes! First NIKE with security loss n (in the standard model).

Can we do even better?

8

Our results

Can we do better?

◮ Yes! First NIKE with security loss n (in the standard model).

Can we do even better?

◮ Seems hard! Lower bound of security loss n for broad class of NIKEs.

8

Our results

Can we do better?

◮ Yes! First NIKE with security loss n (in the standard model).

Can we do even better?

◮ Seems hard! Lower bound of security loss n for broad class of NIKEs.

+ Generic transformation with tight instantiation:

◮ NIKE with passive security NIKE with active security

8

The lower bound of [BJLS16]

◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions

9

The lower bound of [BJLS16]

◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions

b⋆ A B pk1, . . . , pkn Instance of P Solution to P i⋆, j⋆ {ski}i /

∈{i⋆,j⋆}, Kb

9

The lower bound of [BJLS16]

◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions

b⋆ Metareduction Λ Asim Asim B pk1, . . . , pkn Instance of P Solution to P i⋆, j⋆ {ski}i /

∈{i⋆,j⋆}, Kb ◮ Idea: simulate A by computing Ki⋆j⋆

9

The lower bound of [BJLS16]

◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions

rewind b⋆ Metareduction Λ Asim B B pk1, . . . , pkn Instance of P Solution to P i⋆, j⋆ {ski}i /

∈{i⋆,j⋆}, Kb ◮ Idea: simulate A by computing Ki⋆j⋆ with extracted skj⋆ (or ski⋆)

9

The lower bound of [BJLS16]

◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions

rewind b⋆ Metareduction Λ Asim B B pk1, . . . , pkn Instance of P Solution to P i⋆, j⋆ {ski}i /

∈{i⋆,j⋆}, Kb ◮ Idea: simulate A by computing Ki⋆j⋆ with extracted skj⋆ (or ski⋆) ◮ ∃ run = (i⋆, j⋆) on which B does not abort

9

The lower bound of [BJLS16]

◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions

rewind b⋆ Metareduction Λ Asim B B pk1, . . . , pkn Instance of P Solution to P i⋆, j⋆ {ski}i /

∈{i⋆,j⋆}, Kb ◮ Idea: simulate A by computing Ki⋆j⋆ with extracted skj⋆ (or ski⋆) ◮ ∃ run = (i⋆, j⋆) on which B does not abort ⇒ problem P easy

9

The lower bound of [BJLS16]

◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions

rewind b⋆ Metareduction Λ Asim B B pk1, . . . , pkn Instance of P Solution to P i⋆, j⋆ {ski}i /

∈{i⋆,j⋆}, Kb ◮ Idea: simulate A by computing Ki⋆j⋆ with extracted skj⋆ (or ski⋆) ◮ ∃ run = (i⋆, j⋆) on which B does not abort ⇒ problem P easy ◮ ⇒ security loss of at least Ω(n2)

9

The lower bound of [BJLS16]

◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions

Reduction doesn’t know ski i ∈ {i⋆, j⋆} rewind b⋆ Metareduction Λ Asim B B pk1, . . . , pkn Instance of P Solution to P i⋆, j⋆ {ski}i /

∈{i⋆,j⋆}, Kb ◮ Idea: simulate A by computing Ki⋆j⋆ with extracted skj⋆ (or ski⋆) ◮ ∃ run = (i⋆, j⋆) on which B does not abort ⇒ problem P easy ◮ ⇒ security loss of at least Ω(n2)

9

The lower bound of [BJLS16]

◮ applies to all NIKEs w/ unique secret keys ◮ rules out tight simple black-box reductions

⇒ has to abort on all runs = (i⋆, j⋆) Reduction doesn’t know ski i ∈ {i⋆, j⋆} rewind b⋆ Metareduction Λ Asim B B pk1, . . . , pkn Instance of P Solution to P i⋆, j⋆ {ski}i /

∈{i⋆,j⋆}, Kb ◮ Idea: simulate A by computing Ki⋆j⋆ with extracted skj⋆ (or ski⋆) ◮ ∃ run = (i⋆, j⋆) on which B does not abort ⇒ problem P easy ◮ ⇒ security loss of at least Ω(n2)

9

How to circumvent the lower bound of [BJLS16]?

Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key

10

How to circumvent the lower bound of [BJLS16]?

Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys

10

How to circumvent the lower bound of [BJLS16]?

Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀(pk1, sk1), (pk2, sk2): SharedKey(pk2, sk1) = SharedKey(pk1, sk2)

10

How to circumvent the lower bound of [BJLS16]?

Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀(pk1, sk1), (pk2, sk2): SharedKey(pk2, sk1) = SharedKey(pk1, sk2) Solution: invalid public keys (w/o secret keys)

10

How to circumvent the lower bound of [BJLS16]?

Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀(pk1, sk1), (pk2, sk2): SharedKey(pk2, sk1) = SharedKey(pk1, sk2) Solution: invalid public keys (w/o secret keys) ≈c invalid public keys valid public keys

10

How to circumvent the lower bound of [BJLS16]?

Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀(pk1, sk1), (pk2, sk2): SharedKey(pk2, sk1) = SharedKey(pk1, sk2) Solution: invalid public keys (w/o secret keys) ≈c invalid public keys valid public keys ∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random)

10

How to circumvent the lower bound of [BJLS16]?

Key of [BJLS16]: uniqueness of secret keys ⇒ uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: ∀(pk1, sk1), (pk2, sk2): SharedKey(pk2, sk1) = SharedKey(pk1, sk2) Solution: invalid public keys (w/o secret keys) ≈c invalid public keys valid public keys ∀(pk1, sk1), pk2 : (pk1, pk2, SharedKey(pk2, sk1)) ≡ (pk1, pk2, random) Note: this requires entropy in sk1 given pk1 (and thus many secret keys)!

10

Recap: Subset membership problem (SMP)

X set, L ⊆ X NP-language Subset membership assumption for (X, L): ≈c {x | x ←R X \ L} {x | x ←R L}

Recap: Subset membership problem (SMP)

X set, L ⊆ X NP-language Subset membership assumption for (X, L): ≈c {x | x ←R X \ L} {x | x ←R L} ≈c invalid public keys valid public keys

11

Recap: Hash proof system

[CS98] HPS = (Gen, PubEval, PrivEval) is HPS for language L if: PubEval(hpk, x, w) PrivEval(hsk, x)

• return the same key K for all x ∈ L with witness w

Universality: ∀x / ∈ L, (hpk, hsk) ← Gen: (hpk, x, PrivEval(hsk, x)) ≡ (hpk, x, random)

12

Our NIKE

Variation of the PAKE of [KOY01; GL03] HPS = (Gen, PubEval, PrivEval) for L, SMP for L ⊆ X hard x1 ← L with witness w1 K21 = PubEval(hpk2, x1, w1) (hpk2, hsk2) ← Gen K12 = PrivEval(hsk2, x1) x1 , hpk2 =

13

Our NIKE

Variation of the PAKE of [KOY01; GL03] HPS = (Gen, PubEval, PrivEval) for L, SMP for L ⊆ X hard x1 ← L with witness w1 (hpk1, hsk1) ← Gen K21 = PubEval(hpk2, x1, w1) x2 ← L with witness w2 (hpk2, hsk2) ← Gen K12 = PrivEval(hsk2, x1) (hpk1, x1), (hpk2, x2) =

13

Our NIKE

Variation of the PAKE of [KOY01; GL03] HPS = (Gen, PubEval, PrivEval) for L, SMP for L ⊆ X hard Note:

◮ hsk not unique ◮ can switch x to X\L

x1 ← L with witness w1 (hpk1, hsk1) ← Gen K21 = PubEval(hpk2, x1, w1) x2 ← L with witness w2 (hpk2, hsk2) ← Gen K12 = PrivEval(hsk2, x1) (hpk1, x1), (hpk2, x2) =

13

Proof of Security - Idea

Idea: i⋆ ←R {1, . . . , n}, embed SMP-challenge as xi⋆ in pki⋆

14

Proof of Security - Idea

Idea: i⋆ ←R {1, . . . , n}, embed SMP-challenge as xi⋆ in pki⋆ ∀j > i⋆ : Ki⋆j = PrivEval(hskj, xi⋆)

14

Proof of Security - Idea

Idea: i⋆ ←R {1, . . . , n}, embed SMP-challenge as xi⋆ in pki⋆ ∀j > i⋆ : Ki⋆j = PrivEval(hskj, xi⋆) ≈ random if xi⋆ ∈ X\L and hskj unknown

14

Proof of Security - Idea

Idea: i⋆ ←R {1, . . . , n}, embed SMP-challenge as xi⋆ in pki⋆ ∀j > i⋆ : Ki⋆j = PrivEval(hskj, xi⋆) ≈ random if xi⋆ ∈ X\L and hskj unknown security loss of only n Reduction doesn’t know ski Reduction knows ski i = i⋆ i = i⋆

14

Towards a new lower bound

[BJLS16]:

◮ obtain ski⋆ or skj⋆ via rewinding to compute unique Ki⋆j⋆

15

Towards a new lower bound

[BJLS16]:

◮ obtain ski⋆ or skj⋆ via rewinding to compute unique Ki⋆j⋆ ◮ reduction aborts on all runs without i⋆ and all runs without j⋆ ⇒ loss of Ω(n2)

15

Towards a new lower bound

[BJLS16]:

◮ obtain ski⋆ or skj⋆ via rewinding to compute unique Ki⋆j⋆ ◮ reduction aborts on all runs without i⋆ and all runs without j⋆ ⇒ loss of Ω(n2)

Problem: ski⋆, skj⋆ not unique

15

Towards a new lower bound

[BJLS16]:

◮ obtain ski⋆ or skj⋆ via rewinding to compute unique Ki⋆j⋆ ◮ reduction aborts on all runs without i⋆ and all runs without j⋆ ⇒ loss of Ω(n2)

Problem: ski⋆, skj⋆ not unique Observation: uniqueness of Ki⋆j⋆ sufficient

15

Towards a new lower bound

[BJLS16]:

◮ obtain ski⋆ or skj⋆ via rewinding to compute unique Ki⋆j⋆ ◮ reduction aborts on all runs without i⋆ and all runs without j⋆ ⇒ loss of Ω(n2)

Problem: ski⋆, skj⋆ not unique Observation: uniqueness of Ki⋆j⋆ sufficient

◮ shared keys between valid public keys unique

15

Towards a new lower bound

[BJLS16]:

◮ obtain ski⋆ or skj⋆ via rewinding to compute unique Ki⋆j⋆ ◮ reduction aborts on all runs without i⋆ and all runs without j⋆ ⇒ loss of Ω(n2)

Problem: ski⋆, skj⋆ not unique Observation: uniqueness of Ki⋆j⋆ sufficient

◮ shared keys between valid public keys unique ◮ invalid public keys have no secret keys

15

Towards a new lower bound

[BJLS16]:

◮ obtain ski⋆ or skj⋆ via rewinding to compute unique Ki⋆j⋆ ◮ reduction aborts on all runs without i⋆ and all runs without j⋆ ⇒ loss of Ω(n2)

Problem: ski⋆, skj⋆ not unique Observation: uniqueness of Ki⋆j⋆ sufficient

◮ shared keys between valid public keys unique ◮ invalid public keys have no secret keys

Our metareduction:

◮ Idea: obtain ski⋆ and skj⋆ via rewinding to compute unique Ki⋆j⋆

15

Towards a new lower bound

[BJLS16]:

◮ obtain ski⋆ or skj⋆ via rewinding to compute unique Ki⋆j⋆ ◮ reduction aborts on all runs without i⋆ and all runs without j⋆ ⇒ loss of Ω(n2)

Problem: ski⋆, skj⋆ not unique Observation: uniqueness of Ki⋆j⋆ sufficient

◮ shared keys between valid public keys unique ◮ invalid public keys have no secret keys

Our metareduction:

◮ Idea: obtain ski⋆ and skj⋆ via rewinding to compute unique Ki⋆j⋆ ◮ reduction aborts on all runs without i⋆ or on all runs without j⋆

15

Towards a new lower bound

[BJLS16]:

◮ obtain ski⋆ or skj⋆ via rewinding to compute unique Ki⋆j⋆ ◮ reduction aborts on all runs without i⋆ and all runs without j⋆ ⇒ loss of Ω(n2)

Problem: ski⋆, skj⋆ not unique Observation: uniqueness of Ki⋆j⋆ sufficient

◮ shared keys between valid public keys unique ◮ invalid public keys have no secret keys

Our metareduction:

◮ Idea: obtain ski⋆ and skj⋆ via rewinding to compute unique Ki⋆j⋆ ◮ reduction aborts on all runs without i⋆ or on all runs without j⋆ ⇒ loss of Ω(n)

15

From passive to active security

Idea: add unbounded simulation sound NIZK proof of knowledge of secret key

◮ USS-NIZK allows to simulate during the reduction ◮ PoK allows to extract the secret key from corrupted users

16

From passive to active security

Idea: add unbounded simulation sound NIZK proof of knowledge of secret key

◮ USS-NIZK allows to simulate during the reduction ◮ PoK allows to extract the secret key from corrupted users

Instantiation:

◮ generic instantiation from standard components ◮ optimized tightly secure instantiation for our NIKE

16

Our results

Reference |pk|

• sec. model
• sec. loss

assumption uses [DH76] 1 × G passive n2 DDH

• Ours

3 × G passive n DDH

• [CKS08]

2 × G active⋆ 2 CDH ROM [FHKP13] 1 × ZN active n2 factoring ROM [FHKP13] 2 × G + 1 × Zp active n2 DBDH pairing Ours 12 × G active n DLIN pairing *w/o extractions Modular constructions New lower bound:

◮ applies to all schemes where invalid public keys have no secret keys ◮ yields a loss of Ω(n) for all simple black-box reductions

Generic transformation from passive to active secure NIKE Thank you!!

17

Bibliography I

Christoph Bader, Tibor Jager, Yong Li, and Sven Sch¨

• age. “On the

Impossibility of Tight Cryptographic Reductions”. In: EUROCRYPT 2016, Part II. Ed. by Marc Fischlin and Jean-S´ ebastien Coron. Vol. 9666. LNCS. Springer, Heidelberg, May 2016,

• pp. 273–304. doi: 10.1007/978-3-662-49896-5_10.

David Cash, Eike Kiltz, and Victor Shoup. “The Twin Diffie-Hellman Problem and Applications”. In: EUROCRYPT 2008. Ed. by Nigel P. Smart. Vol. 4965. LNCS. Springer, Heidelberg, Apr. 2008,

• pp. 127–145.

Ronald Cramer and Victor Shoup. “A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack”. In: CRYPTO’98. Ed. by Hugo Krawczyk. Vol. 1462. LNCS. Springer, Heidelberg, Aug. 1998, pp. 13–25.

18

Bibliography II

Whitfield Diffie and Martin E. Hellman. “New Directions in Cryptography”. In: IEEE Transactions on Information Theory 22.6 (1976), pp. 644–654. Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz, and Kenneth G. Paterson. “Non-Interactive Key Exchange”. In: PKC 2013.

• Ed. by Kaoru Kurosawa and Goichiro Hanaoka. Vol. 7778. LNCS. Springer,

Heidelberg, 2013, pp. 254–271. doi: 10.1007/978-3-642-36362-7_17. Rosario Gennaro and Yehuda Lindell. “A Framework for Password-Based Authenticated Key Exchange”. In: EUROCRYPT 2003. Ed. by Eli Biham.

• Vol. 2656. LNCS. http://eprint.iacr.org/2003/032.ps.gz.

Springer, Heidelberg, May 2003, pp. 524–543.

19

Bibliography III

Jonathan Katz, Rafail Ostrovsky, and Moti Yung. “Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords”. In: EUROCRYPT 2001. Ed. by Birgit Pfitzmann. Vol. 2045.

• LNCS. Springer, Heidelberg, May 2001, pp. 475–494.

Eike Kiltz and Hoeteck Wee. “Quasi-Adaptive NIZK for Linear Subspaces Revisited”. In: EUROCRYPT 2015, Part II. Ed. by Elisabeth Oswald and Marc Fischlin. Vol. 9057. LNCS. Springer, Heidelberg, Apr. 2015,

• pp. 101–128. doi: 10.1007/978-3-662-46803-6_4.

20