On Tightly Secure Non-Interactive Key Exchange

Transcription

1 On Tightly Secure Non-Interactive Key Exchange Julia Hesse (Technische Universität Darmstadt) Dennis Hofheinz (Karlsruhe Institute of Technology) Lisa Kohl (Karlsruhe Institute of Technology) 1

2 Non-Interactive Key Exchange (NIKE) pk 1, pk 2 (pk 1, sk 1 ) KeyGen K 21 = SharedKey(pk 2, sk 1 ) = (pk 2, sk 2 ) KeyGen K 12 = SharedKey(pk 1, sk 2 ) 2

3 Tight security Scheme S secure if problem P hard: A attacks S = B attacks P s.t. Advantage S A }{{} L Advantage P B (+ similar runtime) security loss Asymptotic security: L polynomial 3

4 Tight security Scheme S secure if problem P hard: A attacks S = B attacks P s.t. Advantage S A }{{} L Advantage P B (+ similar runtime) security loss Asymptotic security: L polynomial Tight security: L small (e.g. small constant) 3

5 Tight security Scheme S secure if problem P hard: A attacks S = B attacks P s.t. Advantage S A }{{} L Advantage P B (+ similar runtime) security loss Asymptotic security: L polynomial Tight security: L small (e.g. small constant) Why do we care? Theory: closer relation between P and S Practice: smaller keys more efficient instantiations 3

6 Recap: Diffie-Hellman Key Exchange [DH76; CKS08] G group, g = G, p := G g a, g b a Z p K 21 = (g b ) a = g ab = b Z p K 12 = (g a ) b Decisional DH: a, b, c R Z p : (g a, g b, g ab ) c (g a, g b, g c ) 4

7 (Simplified) Security model pk1,, pkn 5

8 (Simplified) Security model pk1,, pkn 5

9 (Simplified) Security model pk1,, pkn 5

10 (Simplified) Security of NIKE w/ extractions (pk i, sk i ) KeyGen pk 1,..., pk n b {0, 1} K 0 SharedKey(pk i, sk j ) K 1 random key i, j {sk i } i / {i,j }, K b A b Advantage nike A := Pr[b = b] 1/2 6

11 Recap: DH Key Exchange - Security w/ extractions Idea: i, j R {1,..., n}, embed DDH-challenge in pk i, pk j 7

12 Recap: DH Key Exchange - Security w/ extractions Idea: i, j R {1,..., n}, embed DDH-challenge in pk i, pk j security loss of n 2 Reduction knows sk i i / {i, j } Reduction doesn t know sk i i {i, j } 7

13 Recap: DH Key Exchange - Security w/ extractions Idea: i, j R {1,..., n}, embed DDH-challenge in pk i, pk j security loss of n 2 Reduction knows sk i i / {i, j } Reduction doesn t know sk i i {i, j } [BJLS16]: This loss is inherent! 7

14 Our results Can we do better? 8

15 Our results Can we do better? Yes! First NIKE with security loss n (in the standard model). 8

16 Our results Can we do better? Yes! First NIKE with security loss n (in the standard model). Can we do even better? 8

17 Our results Can we do better? Yes! First NIKE with security loss n (in the standard model). Can we do even better? Seems hard! Lower bound of security loss n for broad class of NIKEs. 8

18 Our results Can we do better? Yes! First NIKE with security loss n (in the standard model). Can we do even better? Seems hard! Lower bound of security loss n for broad class of NIKEs. + Generic transformation with tight instantiation: NIKE with passive security NIKE with active security 8

19 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions 9

20 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P pk 1,..., pk n Solution to P B i, j {sk i } i / {i,j }, K b b A 9

21 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P Solution to P B pk 1,..., pk n i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim Idea: simulate A by computing K i j 9

22 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P rewind Solution to P B pk 1,..., pk n i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim Idea: simulate A by computing K i j with extracted sk j (or sk i ) 9

23 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P rewind Solution to P B pk 1,..., pk n i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim Idea: simulate A by computing K i j with extracted sk j (or sk i ) run (i, j ) on which B does not abort 9

24 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P rewind Solution to P B pk 1,..., pk n i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim Idea: simulate A by computing K i j with extracted sk j (or sk i ) run (i, j ) on which B does not abort problem P easy 9

25 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P rewind Solution to P B pk 1,..., pk n i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim Idea: simulate A by computing K i j with extracted sk j (or sk i ) run (i, j ) on which B does not abort problem P easy security loss of at least Ω(n 2 ) 9

26 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P pk 1,..., pk n Reduction doesn t know sk i rewind Solution to P B i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim i {i, j } Idea: simulate A by computing K i j with extracted sk j (or sk i ) run (i, j ) on which B does not abort problem P easy security loss of at least Ω(n 2 ) 9

27 The lower bound of [BJLS16] applies to all NIKEs w/ unique secret keys rules out tight simple black-box reductions Instance of P pk 1,..., pk n Reduction doesn t know sk i rewind Solution to P B i, j {sk i } i / {i,j }, K b b Metareduction Λ A sim i {i, j } has to abort on all runs (i, j ) Idea: simulate A by computing K i j with extracted sk j (or sk i ) run (i, j ) on which B does not abort problem P easy security loss of at least Ω(n 2 ) 9

28 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key 10

29 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key Our scheme: public keys have many secret keys 10

30 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: (pk 1, sk 1 ), (pk 2, sk 2 ): SharedKey(pk 2, sk 1 ) = SharedKey(pk 1, sk 2 ) 10

31 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: (pk 1, sk 1 ), (pk 2, sk 2 ): SharedKey(pk 2, sk 1 ) = SharedKey(pk 1, sk 2 ) Solution: invalid public keys (w/o secret keys) 10

32 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: (pk 1, sk 1 ), (pk 2, sk 2 ): SharedKey(pk 2, sk 1 ) = SharedKey(pk 1, sk 2 ) Solution: invalid public keys (w/o secret keys) valid public keys c invalid public keys 10

33 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: (pk 1, sk 1 ), (pk 2, sk 2 ): SharedKey(pk 2, sk 1 ) = SharedKey(pk 1, sk 2 ) Solution: invalid public keys (w/o secret keys) valid public keys c invalid public keys (pk 1, sk 1 ), pk 2 : (pk 1, pk 2, SharedKey(pk 2, sk 1 )) (pk 1, pk 2, random) 10

34 How to circumvent the lower bound of [BJLS16]? Key of [BJLS16]: uniqueness of secret keys uniqueness of shared key Our scheme: public keys have many secret keys Not enough! By correctness: (pk 1, sk 1 ), (pk 2, sk 2 ): SharedKey(pk 2, sk 1 ) = SharedKey(pk 1, sk 2 ) Solution: invalid public keys (w/o secret keys) valid public keys c invalid public keys (pk 1, sk 1 ), pk 2 : (pk 1, pk 2, SharedKey(pk 2, sk 1 )) (pk 1, pk 2, random) Note: this requires entropy in sk 1 given pk 1 (and thus many secret keys)! 10

35 Recap: Subset membership problem (SMP) X set, L X NP-language Subset membership assumption for (X, L): {x x R L} c {x x R X \ L}

36 Recap: Subset membership problem (SMP) X set, L X NP-language Subset membership assumption for (X, L): {x x R L} c {x x R X \ L} valid public keys c invalid public keys 11

37 Recap: Hash proof system [CS98] HPS = (Gen, PubEval, PrivEval) is HPS for language L if: } PubEval(hpk, x, w) return the same key K for all x L with witness w PrivEval(hsk, x) Universality: x / L, (hpk, hsk ) Gen: (hpk, x, PrivEval(hsk, x)) (hpk, x, random) 12

38 Our NIKE Variation of the PAKE of [KOY01; GL03] HPS = (Gen, PubEval, PrivEval) for L, SMP for L X hard x 1, hpk 2 x 1 L with witness w 1 (hpk 2, hsk 2 ) Gen K 21 = PubEval(hpk 2, x 1, w 1 ) = K 12 = PrivEval(hsk 2, x 1 ) 13

39 Our NIKE Variation of the PAKE of [KOY01; GL03] HPS = (Gen, PubEval, PrivEval) for L, SMP for L X hard (hpk 1, x 1 ), (hpk 2, x 2 ) x 1 L with witness w 1 x 2 L with witness w 2 (hpk 1, hsk 1 ) Gen (hpk 2, hsk 2 ) Gen K 21 = PubEval(hpk 2, x 1, w 1 ) = K 12 = PrivEval(hsk 2, x 1 ) 13

40 Our NIKE Variation of the PAKE of [KOY01; GL03] HPS = (Gen, PubEval, PrivEval) for L, SMP for L X hard (hpk 1, x 1 ), (hpk 2, x 2 ) Note: hsk not unique can switch x to X \L x 1 L with witness w 1 (hpk 1, hsk 1 ) Gen K 21 = PubEval(hpk 2, x 1, w 1 ) = x 2 L with witness w 2 (hpk 2, hsk 2 ) Gen K 12 = PrivEval(hsk 2, x 1 ) 13

41 Proof of Security - Idea Idea: i R {1,..., n}, embed SMP-challenge as x i in pk i 14

42 Proof of Security - Idea Idea: i R {1,..., n}, embed SMP-challenge as x i in pk i j > i : K i j = PrivEval(hsk j, x i ) 14

43 Proof of Security - Idea Idea: i R {1,..., n}, embed SMP-challenge as x i in pk i j > i : K i j = PrivEval(hsk j, x i ) random if x i X \L and hsk j unknown 14

44 Proof of Security - Idea Idea: i R {1,..., n}, embed SMP-challenge as x i in pk i j > i : K i j = PrivEval(hsk j, x i ) random if x i X \L and hsk j unknown security loss of only n Reduction knows sk i i i Reduction doesn t know sk i i = i 14

45 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j 15

46 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) 15

47 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique 15

48 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique Observation: uniqueness of K i j sufficient 15

49 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique Observation: uniqueness of K i j sufficient shared keys between valid public keys unique 15

50 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique Observation: uniqueness of K i j sufficient shared keys between valid public keys unique invalid public keys have no secret keys 15

51 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique Observation: uniqueness of K i j sufficient shared keys between valid public keys unique invalid public keys have no secret keys Our metareduction: Idea: obtain sk i and sk j via rewinding to compute unique K i j 15

52 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique Observation: uniqueness of K i j sufficient shared keys between valid public keys unique invalid public keys have no secret keys Our metareduction: Idea: obtain sk i and sk j via rewinding to compute unique K i j reduction aborts on all runs without i or on all runs without j 15

53 Towards a new lower bound [BJLS16]: obtain sk i or sk j via rewinding to compute unique K i j reduction aborts on all runs without i and all runs without j loss of Ω(n 2 ) Problem: sk i, sk j not unique Observation: uniqueness of K i j sufficient shared keys between valid public keys unique invalid public keys have no secret keys Our metareduction: Idea: obtain sk i and sk j via rewinding to compute unique K i j reduction aborts on all runs without i or on all runs without j loss of Ω(n) 15

54 From passive to active security Idea: add unbounded simulation sound NIZK proof of knowledge of secret key USS-NIZK allows to simulate during the reduction PoK allows to extract the secret key from corrupted users 16

55 From passive to active security Idea: add unbounded simulation sound NIZK proof of knowledge of secret key USS-NIZK allows to simulate during the reduction PoK allows to extract the secret key from corrupted users Instantiation: generic instantiation from standard components optimized tightly secure instantiation for our NIKE 16

56 Our results Reference pk sec. model sec. loss assumption uses [DH76] 1 G passive n 2 DDH - Ours 3 G passive n DDH - [CKS08] 2 G active 2 CDH ROM [FHKP13] 1 Z N active n 2 factoring ROM [FHKP13] 2 G + 1 Z p active n 2 DBDH pairing Ours 12 G active n DLIN pairing *w/o extractions Modular constructions New lower bound: applies to all schemes where invalid public keys have no secret keys yields a loss of Ω(n) for all simple black-box reductions Generic transformation from passive to active secure NIKE Thank you!! 17

57 Bibliography I Christoph Bader, Tibor Jager, Yong Li, and Sven Schäge. On the Impossibility of Tight Cryptographic Reductions. In: EUROCRYPT 2016, Part II. Ed. by Marc Fischlin and Jean-Sébastien Coron. Vol LNCS. Springer, Heidelberg, May 2016, pp doi: / _10. David Cash, Eike Kiltz, and Victor Shoup. The Twin Diffie-Hellman Problem and Applications. In: EUROCRYPT Ed. by Nigel P. Smart. Vol LNCS. Springer, Heidelberg, Apr. 2008, pp Ronald Cramer and Victor Shoup. A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack. In: CRYPTO 98. Ed. by Hugo Krawczyk. Vol LNCS. Springer, Heidelberg, Aug. 1998, pp

58 Bibliography II Whitfield Diffie and Martin E. Hellman. New Directions in Cryptography. In: IEEE Transactions on Information Theory 22.6 (1976), pp Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz, and Kenneth G. Paterson. Non-Interactive Key Exchange. In: PKC Ed. by Kaoru Kurosawa and Goichiro Hanaoka. Vol LNCS. Springer, Heidelberg, 2013, pp doi: / _17. Rosario Gennaro and Yehuda Lindell. A Framework for Password-Based Authenticated Key Exchange. In: EUROCRYPT Ed. by Eli Biham. Vol LNCS. Springer, Heidelberg, May 2003, pp

59 Bibliography III Jonathan Katz, Rafail Ostrovsky, and Moti Yung. Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords. In: EUROCRYPT Ed. by Birgit Pfitzmann. Vol LNCS. Springer, Heidelberg, May 2001, pp Eike Kiltz and Hoeteck Wee. Quasi-Adaptive NIZK for Linear Subspaces Revisited. In: EUROCRYPT 2015, Part II. Ed. by Elisabeth Oswald and Marc Fischlin. Vol LNCS. Springer, Heidelberg, Apr. 2015, pp doi: / _4. 20