Non-Interactive Key Exchange
Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz andKenneth G. Paterson
PKC 2013 - Nara, JapanMarch 1, 2013
Non-Interactive Key Exchange
Goal: Enabling two parties who know each other’s public key to agree on asymmetric shared key without requiring any interaction.
Classical example: Diffie-Hellman Key Exchange
Alice
skA : x ← Zp
pkA : X = gx ∈ G
Bob
skB : y ← Zp
pkB : Y = gy ∈ G
K = X y = Y x = gxy
Shared Key
Let G be a group of prime order p with generator g .
More properly, K = H(Alice,Bob, gxy ).
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Non-Interactive Key Exchange
Goal: Enabling two parties who know each other’s public key to agree on asymmetric shared key without requiring any interaction.
Classical example: Diffie-Hellman Key Exchange
Alice
skA : x ← Zp
pkA : X = gx ∈ G
Bob
skB : y ← Zp
pkB : Y = gy ∈ G
K = X y = Y x = gxy
Shared Key
Let G be a group of prime order p with generator g .
More properly, K = H(Alice,Bob, gxy ).
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Formal Definition of NIKE
A NIKE scheme consists of 3 algorithms: CS, KG, SK
We consider an identity space IDS and a shared key space SHK
CS(1k) (Common Setup - run by a trusted authority)
output: set of system parameters par
KG(par, ID) (Key Generation - run by any user)
output: a pair of public key and private key (pk, sk)
SK(ID1, pk1, ID2, sk2) (Shared Key - run by any user)
output: either a shared key K1,2 ∈ SHK or ⊥this algorithm is assumed to always output ⊥ if ID1 = ID2
Correctness requirementWe require SK(ID1, pk1, ID2, sk2) = SK(ID2, pk2, ID1, sk1) for any pair ofidentities ID1, ID2 and corresponding key pairs (pk1, sk1) and (pk2, sk2).
Identities are used totrack which public keysare associated withwhich users.
We are not in theidentity-based setting!
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Formal Definition of NIKE
A NIKE scheme consists of 3 algorithms: CS, KG, SK
We consider an identity space IDS and a shared key space SHK
CS(1k) (Common Setup - run by a trusted authority)
output: set of system parameters par
KG(par, ID) (Key Generation - run by any user)
output: a pair of public key and private key (pk, sk)
SK(ID1, pk1, ID2, sk2) (Shared Key - run by any user)
output: either a shared key K1,2 ∈ SHK or ⊥this algorithm is assumed to always output ⊥ if ID1 = ID2
Correctness requirementWe require SK(ID1, pk1, ID2, sk2) = SK(ID2, pk2, ID1, sk1) for any pair ofidentities ID1, ID2 and corresponding key pairs (pk1, sk1) and (pk2, sk2).
Identities are used totrack which public keysare associated withwhich users.
We are not in theidentity-based setting!
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Formal Definition of NIKE
A NIKE scheme consists of 3 algorithms: CS, KG, SK
We consider an identity space IDS and a shared key space SHK
CS(1k) (Common Setup - run by a trusted authority)
output: set of system parameters par
KG(par, ID) (Key Generation - run by any user)
output: a pair of public key and private key (pk, sk)
SK(ID1, pk1, ID2, sk2) (Shared Key - run by any user)
output: either a shared key K1,2 ∈ SHK or ⊥this algorithm is assumed to always output ⊥ if ID1 = ID2
Correctness requirementWe require SK(ID1, pk1, ID2, sk2) = SK(ID2, pk2, ID1, sk1) for any pair ofidentities ID1, ID2 and corresponding key pairs (pk1, sk1) and (pk2, sk2).
Identities are used totrack which public keysare associated withwhich users.
We are not in theidentity-based setting!
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Applications of NIKE
wireless and sensor networksconserving battery is a prime concern
energy cost of communication must be minimisedminimising the number of bits to be transmitted is fundamental[CapGoePatQuaTowZaf] 1. evaluate the energy costs of interactive andnon-interactive key exchange 2. demonstrate that significant energysavings can be made by adopting a non-interactive approach
deniable authentication
[DodKatSmiWal09] explicitly requires a non-interactive key exchange
basis for interactive key exchange
[BoyMaoPat04] the shared key can be used in a MAC to authenticatean exchange of ephemeral Diffie-Hellman values
non-interactive designated verifier signature schemes
[JakSakImp96] again using the shared key in a MAC to authenticatemessages
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Motivation
Why should we study NIKE?
NIKE is a fundamental cryptographic primitive, but has not receivedmuch attention
1976: major contribution in the ground-breaking paper of Diffie andHellman2008: [CasKilSho08] provides a basic security model for NIKE (theCKS model), analyses the Diffie-Hellman based scheme as well as avariant of it in the ROM2000: [SakOhgKas00] provides an ID-based NIKE secure in the ROM
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Motivation
In practice, the public keys will be certified, and consideration needs to begiven to modelling the key registration process
There are different possible security models for NIKE - with andwithout dishonest key registration (DKR) of public keys
easy to get standard model security without DKR - does not reflecthow CAs actually operateeasy to get ROM security with DKR - e.g. Hashed Diffie-Hellman:K = H(Alice,Bob, g xy )
ChallengeWhat about standard model security with DKR?
coming next
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Contributions of this work
new security models for NIKEwe provide different security models for NIKE and explore therelationships between them
we focus on adversarial key registration queries, which poses the maintechnical obstacle to achieve NIKE securitywe use as a starting point the CKS security model
constructions for secure NIKEa provably secure NIKE scheme in the standard model (our mainconstruction) - based on pairingsa provably secure scheme under the factoring assumption in the ROMChallenge
what about a factoring-based construction secure in thestandard model?
we obtain such a scheme under the additionalassumption that the adversary only registers valid public keys
conversion from NIKE to KEMwe show that a secure NIKE implies an IND-CCA secure PKE scheme
reflectsthe technical chal-
lenge involved inachieving
our DKRsecurity
notions
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Contributions of this work
new security models for NIKEwe provide different security models for NIKE and explore therelationships between them
we focus on adversarial key registration queries, which poses the maintechnical obstacle to achieve NIKE securitywe use as a starting point the CKS security model
constructions for secure NIKEa provably secure NIKE scheme in the standard model (our mainconstruction) - based on pairingsa provably secure scheme under the factoring assumption in the ROMChallenge
what about a factoring-based construction secure in thestandard model?we obtain such a scheme under the additionalassumption that the adversary only registers valid public keys
conversion from NIKE to KEMwe show that a secure NIKE implies an IND-CCA secure PKE scheme
reflectsthe technical chal-
lenge involved inachieving
our DKRsecurity
notions
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Contributions of this work
new security models for NIKEwe provide different security models for NIKE and explore therelationships between them
we focus on adversarial key registration queries, which poses the maintechnical obstacle to achieve NIKE securitywe use as a starting point the CKS security model
constructions for secure NIKEa provably secure NIKE scheme in the standard model (our mainconstruction) - based on pairingsa provably secure scheme under the factoring assumption in the ROMChallenge
what about a factoring-based construction secure in thestandard model?we obtain such a scheme under the additionalassumption that the adversary only registers valid public keys
conversion from NIKE to KEMwe show that a secure NIKE implies an IND-CCA secure PKE scheme
reflectsthe technical chal-
lenge involved inachieving
our DKRsecurity
notions
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Security Models
The CKS security model
Adversary A Challenger Cpar
pk
K1,2
K∗
b
Reg.Hon(ID)
Reg.Cor(ID, pk)
ID 6= IDA, IDB
Corrupt Reveal(ID1, ID2)
{ID1, ID2} 6= {IDA, IDB}
Test(IDA, IDB)
par← CS(1k)
b ← {0, 1}(pk, sk)← KG(par, ID)
K1,2 ← SK(ID1, pk1, ID2, sk2)
(honest, ID, pk, sk)
(corrupt, ID, pk,⊥)
K∗ =
{KA,B if b = 0
random if b = 1
Queries may be made
adaptively and are
arbitrary in number.
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Security Models
The CKS security model
Adversary A Challenger Cpar
pk
K1,2
K∗
b
Reg.Hon(ID)
Reg.Cor(ID, pk)
ID 6= IDA, IDB
Corrupt Reveal(ID1, ID2)
{ID1, ID2} 6= {IDA, IDB}
Test(IDA, IDB)
par← CS(1k)
b ← {0, 1}(pk, sk)← KG(par, ID)
K1,2 ← SK(ID1, pk1, ID2, sk2)
(honest, ID, pk, sk)
(corrupt, ID, pk,⊥)
K∗ =
{KA,B if b = 0
random if b = 1
Queries may be made
adaptively and are
arbitrary in number.
Xminim
izes assump-
tions about the CA
7 omitssome
abilities of an ad-
versary
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Security Models
The m-CKS-heavy security model
Adversary A Challenger C
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Security Models
The m-CKS-heavy security model
Adversary A Challenger Cpar
pk
sk
K1,2
K∗
b
Reg.Hon(ID)
Reg.Cor(ID, pk)
Extract(ID)
ID 6= IDA, IDB
Honest/
Corrupt Reveal(ID1, ID2)
{ID1, ID2} 6= {IDA, IDB}
Test(IDA, IDB)
par← CS(1k)
b ← {0, 1}(pk, sk)← KG(par, ID)
K1,2 ← SK(ID1, pk1, ID2, sk2)
(honest, ID, pk, sk)
(corrupt, ID, pk,⊥)
(honest, ID, pk, sk)
K∗ =
{KA,B if b = 0
random if b = 1
Queries may be made
adaptively and are
arbitrary in number.
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Security Models
The m-CKS-heavy security model
Adversary A Challenger Cpar
pk
sk
K1,2
K∗
b
Reg.Hon(ID)
Reg.Cor(ID, pk)
Extract(ID)
ID 6= IDA, IDB
Honest/
Corrupt Reveal(ID1, ID2)
{ID1, ID2} 6= {IDA, IDB}
Test(IDA, IDB)
par← CS(1k)
b ← {0, 1}(pk, sk)← KG(par, ID)
K1,2 ← SK(ID1, pk1, ID2, sk2)
(honest, ID, pk, sk)
(corrupt, ID, pk,⊥)
(honest, ID, pk, sk)
K∗ =
{KA,B if b = 0
random if b = 1Queries may be made
adaptively and are
arbitrary in number.
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Security Models
The m-CKS-heavy security model
Adversary A Challenger Cpar
pk
sk
K1,2
K∗
b
Reg.Hon(ID)
Reg.Cor(ID, pk)
Extract(ID)ID 6= IDA, IDB
Honest/
Corrupt Reveal(ID1, ID2)
{ID1, ID2} 6= {IDA, IDB}Test(IDA, IDB)
par← CS(1k)
b ← {0, 1}(pk, sk)← KG(par, ID)
K1,2 ← SK(ID1, pk1, ID2, sk2)
(honest, ID, pk, sk)
(corrupt, ID, pk,⊥)
(honest, ID, pk, sk)
K∗ =
{KA,B if b = 0
random if b = 1
Queries may be made
adaptively and are
arbitrary in number.
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Security Models and Their Relationships
Sec.Model Reg.Hon. Reg.Cor. Extract Hon.Reveal Cor.Reveal Test
CKS-light 2 X 7 7 X 1
CKS X X 7 7 X X
CKS-heavy X X X X X 1
m-CKS-heavy X X X X X X
CKS-light
CKS
CKS-heavy
m-CKS-heavy
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Security Models and Their Relationships
Sec.Model Reg.Hon. Reg.Cor. Extract Hon.Reveal Cor.Reveal Test
CKS-light 2 X 7 7 X 1
CKS X X 7 7 X X
CKS-heavy X X X X X 1
m-CKS-heavy X X X X X X
CKS-lightCKS-light isthe simplest
security model!
CKS-light
CKS
CKS-heavy
m-CKS-heavy
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the Standard Model from Pairings - NIKEdbdh-2
Ingredients
Programmable Hash Function - PHF [HofKil08]
used to employ partitioning techniques (can be instantiated in thestandard model)maps a bitstring X to a group element PHF(X )a trapdoor allows to decompose PHF(X ) = g aX hbX for chosen g and ha PHF is (m, n)-programmable, if for all X1, . . . ,Xm 6= Z1, . . . ,Zn
Pr[aXi = 0 ∧ aZj 6= 0] is significant
Chameleon Hash Function - ChamH [KraRab00]
collision-resistant
hard to find (m1, r1) 6= (m2, r2) such thatChamH(m1, r1) = ChamH(m2, r2)
trapdoor collisions
given any pair (m1, r1) and a message m2, it is possible to find r2
(with use of a trapdoor ck) such that ChamH(m1, r1) = ChamH(m2, r2)
there exists: DL and RSA-based realizations
PHF(Xi ) = hbXi
PHF(Zj ) = gaZj h
bZj
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the Standard Model from Pairings - NIKEdbdh-2
Ingredients
Programmable Hash Function - PHF [HofKil08]
used to employ partitioning techniques (can be instantiated in thestandard model)maps a bitstring X to a group element PHF(X )a trapdoor allows to decompose PHF(X ) = g aX hbX for chosen g and ha PHF is (m, n)-programmable, if for all X1, . . . ,Xm 6= Z1, . . . ,Zn
Pr[aXi = 0 ∧ aZj 6= 0] is significant
Chameleon Hash Function - ChamH [KraRab00]
collision-resistant
hard to find (m1, r1) 6= (m2, r2) such thatChamH(m1, r1) = ChamH(m2, r2)
trapdoor collisions
given any pair (m1, r1) and a message m2, it is possible to find r2
(with use of a trapdoor ck) such that ChamH(m1, r1) = ChamH(m2, r2)
there exists: DL and RSA-based realizations
PHF(Xi ) = hbXi
PHF(Zj ) = gaZj h
bZj
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the Standard Model from Pairings - NIKEdbdh-2
Ingredients
Programmable Hash Function - PHF [HofKil08]
used to employ partitioning techniques (can be instantiated in thestandard model)maps a bitstring X to a group element PHF(X )a trapdoor allows to decompose PHF(X ) = g aX hbX for chosen g and ha PHF is (m, n)-programmable, if for all X1, . . . ,Xm 6= Z1, . . . ,Zn
Pr[aXi = 0 ∧ aZj 6= 0] is significant
Chameleon Hash Function - ChamH [KraRab00]
collision-resistant
hard to find (m1, r1) 6= (m2, r2) such thatChamH(m1, r1) = ChamH(m2, r2)
trapdoor collisions
given any pair (m1, r1) and a message m2, it is possible to find r2
(with use of a trapdoor ck) such that ChamH(m1, r1) = ChamH(m2, r2)
there exists: DL and RSA-based realizations
PHF(Xi ) = hbXi
PHF(Zj ) = gaZj h
bZj
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the Standard Model from Pairings - NIKEdbdh-2
Ingredients
Programmable Hash Function - PHF [HofKil08]
used to employ partitioning techniques (can be instantiated in thestandard model)maps a bitstring X to a group element PHF(X )a trapdoor allows to decompose PHF(X ) = g aX hbX for chosen g and ha PHF is (m, n)-programmable, if for all X1, . . . ,Xm 6= Z1, . . . ,Zn
Pr[aXi = 0 ∧ aZj 6= 0] is significant
Chameleon Hash Function - ChamH [KraRab00]collision-resistant
hard to find (m1, r1) 6= (m2, r2) such thatChamH(m1, r1) = ChamH(m2, r2)
trapdoor collisions
given any pair (m1, r1) and a message m2, it is possible to find r2
(with use of a trapdoor ck) such that ChamH(m1, r1) = ChamH(m2, r2)
there exists: DL and RSA-based realizations
PHF(Xi ) = hbXi
PHF(Zj ) = gaZj h
bZj
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the Standard Model from Pairings - NIKEdbdh-2
Component algorithms of NIKEdbdh-2
CS(1k)PG2 = (G1,G2,GT , g1, g2, p, e, ψ)← G2(1k)u0, u1, u2,S ← G∗1 ; hk, ck← Cham.KG(1k)par← (PG2, u0, u1, u2,S , hk)Return par
KG(par, ID)x ← Zp; r ← RCham; Z ← g x
2
t ← ChamHhk(Z ||ID, r); Y ← u0ut1u2
t2
; X ← Y x
pk ← (X ,Z , r); sk ← xReturn (pk , sk)
SK(ID1, pk1, ID2, sk2)If ID1 = ID2 return ⊥; Parse pk1 as (X1,Z1, r1) and sk2 as x2
t1 ← ChamHhk(Z1||ID1, r1)
If e(X1, g2) 6= e(u0ut11 u2
t12
,Z1)then K1,2 ←⊥else K1,2 ← e(Sx2 ,Z1)
Return K1,2
Security:DBDH-2assumption
DBDH-2assumption:Given(ga
2 , gb2 , g
c1 ,T ),
decide whetheror notT = e(g1, g2)abc .
Chameleonhash function
weak(2,poly)-PHF
validity checkof public key
Correctness:e(Sx2 ,Z1) = e(S, g2)x1x2
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the Standard Model from Pairings - NIKEdbdh-2
Component algorithms of NIKEdbdh-2
CS(1k)PG2 = (G1,G2,GT , g1, g2, p, e, ψ)← G2(1k)u0, u1, u2,S ← G∗1 ; hk, ck← Cham.KG(1k)par← (PG2, u0, u1, u2,S , hk)Return par
KG(par, ID)x ← Zp; r ← RCham; Z ← g x
2
t ← ChamHhk(Z ||ID, r); Y ← u0ut1u2
t2
; X ← Y x
pk ← (X ,Z , r); sk ← xReturn (pk , sk)
SK(ID1, pk1, ID2, sk2)If ID1 = ID2 return ⊥; Parse pk1 as (X1,Z1, r1) and sk2 as x2
t1 ← ChamHhk(Z1||ID1, r1)
If e(X1, g2) 6= e(u0ut11 u2
t12
,Z1)then K1,2 ←⊥else K1,2 ← e(Sx2 ,Z1)
Return K1,2
Security:DBDH-2assumption
DBDH-2assumption:Given(ga
2 , gb2 , g
c1 ,T ),
decide whetheror notT = e(g1, g2)abc .
Chameleonhash function
weak(2,poly)-PHF
validity checkof public key
Correctness:e(Sx2 ,Z1) = e(S, g2)x1x2
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the Standard Model from Pairings - NIKEdbdh-2
Component algorithms of NIKEdbdh-2
CS(1k)PG2 = (G1,G2,GT , g1, g2, p, e, ψ)← G2(1k)u0, u1, u2,S ← G∗1 ; hk, ck← Cham.KG(1k)par← (PG2, u0, u1, u2,S , hk)Return par
KG(par, ID)x ← Zp; r ← RCham; Z ← g x
2
t ← ChamHhk(Z ||ID, r); Y ← u0ut1u2
t2
; X ← Y x
pk ← (X ,Z , r); sk ← xReturn (pk , sk)
SK(ID1, pk1, ID2, sk2)If ID1 = ID2 return ⊥; Parse pk1 as (X1,Z1, r1) and sk2 as x2
t1 ← ChamHhk(Z1||ID1, r1)
If e(X1, g2) 6= e(u0ut11 u2
t12
,Z1)then K1,2 ←⊥else K1,2 ← e(Sx2 ,Z1)
Return K1,2
SK(ID1, pk1, ID2, sk2)If ID1 = ID2 return ⊥; Parse pk1 as (X1,Z1, r1) and sk2 as x2
t1 ← ChamHhk(Z1||ID1, r1)
If e(X1, g2) 6= e(u0ut11 u2
t12
,Z1)then K1,2 ←⊥else K1,2 ← e(Sx2 ,Z1)
Return K1,2
Security:DBDH-2assumption
DBDH-2assumption:Given(ga
2 , gb2 , g
c1 ,T ),
decide whetheror notT = e(g1, g2)abc .
Chameleonhash function
weak(2,poly)-PHF
validity checkof public key
Correctness:e(Sx2 ,Z1) = e(S, g2)x1x2
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the Standard Model from Pairings - NIKEdbdh-2
Component algorithms of NIKEdbdh-2
CS(1k)PG2 = (G1,G2,GT , g1, g2, p, e, ψ)← G2(1k)u0, u1, u2,S ← G∗1 ; hk, ck← Cham.KG(1k)par← (PG2, u0, u1, u2,S , hk)Return par
KG(par, ID)x ← Zp; r ← RCham; Z ← g x
2
t ← ChamHhk(Z ||ID, r); Y ← u0ut1u2
t2
; X ← Y x
pk ← (X ,Z , r); sk ← xReturn (pk , sk)
SK(ID1, pk1, ID2, sk2)If ID1 = ID2 return ⊥; Parse pk1 as (X1,Z1, r1) and sk2 as x2
t1 ← ChamHhk(Z1||ID1, r1)
If e(X1, g2) 6= e(u0ut11 u2
t12
,Z1)then K1,2 ←⊥else K1,2 ← e(Sx2 ,Z1)
Return K1,2
Security:DBDH-2assumption
DBDH-2assumption:Given(ga
2 , gb2 , g
c1 ,T ),
decide whetheror notT = e(g1, g2)abc .
Chameleonhash function
weak(2,poly)-PHF
validity checkof public key
Correctness:e(Sx2 ,Z1) = e(S, g2)x1x2
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Conclusion
Our contributions
new security models for NIKE
we provided new security models for NIKE and showed that they are allpolynomially equivalent to one another and to the original CKS model
constructions for secure NIKE
we gave constructions for secure NIKE in the ROM and in the standardmodel (under the challenging security notions with DKR)
conversion from NIKE to KEM
we showed that a secure NIKE implies an IND-CCA secure PKEscheme (showing the fundamental utility of NIKE)
Open problems
construct pairing-free NIKE schemes secure in the standard model
construct ID-based NIKE schemes secure in the standard model
consider three-party NIKE schemes based on Joux’s protocol
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Conclusion
Our contributions
new security models for NIKE
we provided new security models for NIKE and showed that they are allpolynomially equivalent to one another and to the original CKS model
constructions for secure NIKE
we gave constructions for secure NIKE in the ROM and in the standardmodel (under the challenging security notions with DKR)
conversion from NIKE to KEM
we showed that a secure NIKE implies an IND-CCA secure PKEscheme (showing the fundamental utility of NIKE)
Open problems
construct pairing-free NIKE schemes secure in the standard model
construct ID-based NIKE schemes secure in the standard model
consider three-party NIKE schemes based on Joux’s protocol
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Bibliography
[CasKilSho08] The twin Diffie-Hellman problem and applications.Cash, Kiltz and Shoup - Eurocrypt
[SakOhgKas00] Cryptosystems based on pairing. Sakai, Ohgishi andKasahara - SCIS
[HofKil08] Programmable hash functions and their applications.Hofheinz, Kiltz - CRYPTO
[KraRab00] Chameleon hash functions. Krawcykz, Rabin - NDSS
[CapGoePatQuaTowZaf] Signal-flow-based analysis of wirelesssecurity protocols. Capar, Goeckel, Paterson, Quaglia, Towsley, Zafer- Information and Computation (to appear)
[DodKatSmiWal09] Composability and on-line deniability ofauthentication. Dodis, Katz, Smith and Walfish - TCC
[BoyMaoPat04] Key agreement using statically keyed authenticators.Boyd, Mao and Paterson - ACNS
[JakSakImp96] Designated verifier proofs and their applications.Jakobsson, Sako and Impagliazzo - Eurocrypt
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Thank you for your attention!
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the ROM from Factoring - NIKEfac
Hashed Diffie-Hellman in the group of signed quadratic residues
CS(1k)
(N,P,Q)← RSAgen(1k)g ← QR+
N , where 〈g〉 = QR+N
par← (H,N, g)Return par
KG(par, ID)
x ← ZbN/4c; X ← g x
pk ← X ; sk ← xReturn (pk , sk)
SK(ID1, pk1, ID2, sk2)
If (ID1 = ID2) or pk1 6∈ QR+N or pk2 6∈ QR+
N return ⊥else if
ID1 < ID2 return H(ID1, ID2, pk1sk2 )
ID2 < ID1 return H(ID2, ID1, pk1sk2 )
Security:factoringassumption
N = PQis a Blum integer.
factoring ⇒double SDH
{|x | : x ∈ QRN},where |x | is the abs. valuewhen representing ele-ments of ZN as the set{−(N−1)/2, . . . , (N−1)/2}
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the ROM from Factoring - NIKEfac
Hashed Diffie-Hellman in the group of signed quadratic residues
CS(1k)
(N,P,Q)← RSAgen(1k)g ← QR+
N , where 〈g〉 = QR+N
par← (H,N, g)Return par
KG(par, ID)
x ← ZbN/4c; X ← g x
pk ← X ; sk ← xReturn (pk , sk)
SK(ID1, pk1, ID2, sk2)
If (ID1 = ID2) or pk1 6∈ QR+N or pk2 6∈ QR+
N return ⊥else if
ID1 < ID2 return H(ID1, ID2, pk1sk2 )
ID2 < ID1 return H(ID2, ID1, pk1sk2 )
Security:factoringassumption
N = PQis a Blum integer.
factoring ⇒double SDH
{|x | : x ∈ QRN},where |x | is the abs. valuewhen representing ele-ments of ZN as the set{−(N−1)/2, . . . , (N−1)/2}
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the Standard Model from Factoring* - NIKEfac-int
* with interactive key registration.
CS(1k)(N,P,Q)← RSAgen(1k)g , u0, u1, u2 ← QR+
N , where 〈g〉 = QR+N
hk, ck← Cham.KG(1k); par← (N, g , u0, u1, u2, hk)Return par
KG(par, ID)
x ← ZbN/4c; r ← RCham; Z ← g x·23k
t ← ChamHhk(Z ||ID, r); Y ← u0ut1u2
t2
; X ← Y x
pk ← (Z ,X , r); sk ← xReturn (pk , sk)
SK(ID1, pk1, ID2, sk2)If (ID1 = ID2) or pk1 6∈ QR+
N ×QR+N ×RCham or
sk2 6∈ ZbN/4c return ⊥Parse pk1 =: (Z1,X1, r1) and sk2 =: x2
Return BBSN(Z x2·22k
1 )
Security:factoringassumption*
*the key registra-tion process mustensure that onlyconsistent keys areregistered, e.g.,by having the userprove consistency inzero-knowledge
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the Standard Model from Factoring* - NIKEfac-int
* with interactive key registration.
CS(1k)(N,P,Q)← RSAgen(1k)g , u0, u1, u2 ← QR+
N , where 〈g〉 = QR+N
hk, ck← Cham.KG(1k); par← (N, g , u0, u1, u2, hk)Return par
KG(par, ID)
x ← ZbN/4c; r ← RCham; Z ← g x·23k
t ← ChamHhk(Z ||ID, r); Y ← u0ut1u2
t2
; X ← Y x
pk ← (Z ,X , r); sk ← xReturn (pk , sk)
SK(ID1, pk1, ID2, sk2)If (ID1 = ID2) or pk1 6∈ QR+
N ×QR+N ×RCham or
sk2 6∈ ZbN/4c return ⊥Parse pk1 =: (Z1,X1, r1) and sk2 =: x2
Return BBSN(Z x2·22k
1 )
Security:factoringassumption*
*the key registra-tion process mustensure that onlyconsistent keys areregistered, e.g.,by having the userprove consistency inzero-knowledge
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the Standard Model from Factoring* - NIKEfac-int
* with interactive key registration.
CS(1k)(N,P,Q)← RSAgen(1k)g , u0, u1, u2 ← QR+
N , where 〈g〉 = QR+N
hk, ck← Cham.KG(1k); par← (N, g , u0, u1, u2, hk)Return par
KG(par, ID)
x ← ZbN/4c; r ← RCham; Z ← g x·23k
t ← ChamHhk(Z ||ID, r); Y ← u0ut1u2
t2
; X ← Y x
pk ← (Z ,X , r); sk ← xReturn (pk , sk)
SK(ID1, pk1, ID2, sk2)If (ID1 = ID2) or pk1 6∈ QR+
N ×QR+N ×RCham or
sk2 6∈ ZbN/4c return ⊥Parse pk1 =: (Z1,X1, r1) and sk2 =: x2
Return BBSN(Z x2·22k
1 )
Security:factoringassumption*
*the key registra-tion process mustensure that onlyconsistent keys areregistered, e.g.,by having the userprove consistency inzero-knowledge
Correctness:
Z x2·22k
1 = gx1·x2·25k= Z x1·22k
2
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
NIKE in the Standard Model from Factoring* - NIKEfac-int
* with interactive key registration.
CS(1k)(N,P,Q)← RSAgen(1k)g , u0, u1, u2 ← QR+
N , where 〈g〉 = QR+N
hk, ck← Cham.KG(1k); par← (N, g , u0, u1, u2, hk)Return par
KG(par, ID)
x ← ZbN/4c; r ← RCham; Z ← g x·23k
t ← ChamHhk(Z ||ID, r); Y ← u0ut1u2
t2
; X ← Y x
pk ← (Z ,X , r); sk ← xReturn (pk , sk)
SK(ID1, pk1, ID2, sk2)If (ID1 = ID2) or pk1 6∈ QR+
N ×QR+N ×RCham or
sk2 6∈ ZbN/4c return ⊥Parse pk1 =: (Z1,X1, r1) and sk2 =: x2
Return BBSN(Z x2·22k
1 )
Security:factoringassumption*
*the key registra-tion process mustensure that onlyconsistent keys areregistered, e.g.,by having the userprove consistency inzero-knowledge
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Key Encapsulation Mechanism - KEM
A KEM consists of 3 algorithms: KEM.KeyGen, Enc, Dec
KEM.KeyGen(1k) (a key generation algorithm)output: a pair of public key and private key (pkKEM, skKEM)
Enc(pkKEM) (a key encapsulation algorithm)output: an encapsulation key pair (K ,C ), where C is the encapsulationof key K
Dec(skKEM,C ) (a decapsulation algorithm)output: either the corresponding key K or an invalid encapsulationsymbol ⊥
One-Time Signatures (OTS): OTS = (OTSKeyGen, OTSSign, OTSVfy)
(vk , sigk)← OTSKeyGen(1k)
σ ← OTSSign(sigk ,m)
reject or acept ← OTSVfy(vk,m, σ)
Strong OTS: Given (m, σ), it is infeasible to ouput (m′, σ′) for whichσ′ is a valid signature on m′
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
Key Encapsulation Mechanism - KEM
A KEM consists of 3 algorithms: KEM.KeyGen, Enc, Dec
KEM.KeyGen(1k) (a key generation algorithm)output: a pair of public key and private key (pkKEM, skKEM)
Enc(pkKEM) (a key encapsulation algorithm)output: an encapsulation key pair (K ,C ), where C is the encapsulationof key K
Dec(skKEM,C ) (a decapsulation algorithm)output: either the corresponding key K or an invalid encapsulationsymbol ⊥
One-Time Signatures (OTS): OTS = (OTSKeyGen, OTSSign, OTSVfy)
(vk , sigk)← OTSKeyGen(1k)
σ ← OTSSign(sigk ,m)
reject or acept ← OTSVfy(vk ,m, σ)
Strong OTS: Given (m, σ), it is infeasible to ouput (m′, σ′) for whichσ′ is a valid signature on m′
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
IND-CCA KEM from CKS-secure NIKE - KEM(NIKE, OTS)
KEM.KeyGen(1k)
par← CS(1k); ID← IDS(pk, sk)← KG(par, ID)Output (pkKEM = (par, ID, pk), skKEM = (ID, sk))
Enc(pkKEM)
Parse pkKEM as (par, ID, pk)(vk , sigk)← OTSKeyGen(1k) with vk 6= ID(pk ′, sk ′)← KG(par, ID′ = vk); σ ← OTSSign(sigk , pk ′)K ← SK(ID, pk, ID′ = vk , sk ′)Output (K ,C = (vk , pk ′, σ))
Dec(skKEM,C )
Parse C as (vk , pk ′, σ) and skKEM as (ID, sk)Run OTSVfy(vk , pk ′, σ) and output
⊥ if the output is reject or if vk = IDSK(ID′ = vk, pk ′, ID, sk)
randomly generatedkey pair for NIKE
OTS binds pk ′ to ID′
ciphertext: randomlygenerated public key pk ′
shared key computed fromsk and pk ′
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson
More Efficient NIKE to KEM Conversion
In the full version of our paper, we also provide a NIKE-KEMconversion that starts with a secure NIKE satisfying a simplifieddefinition and produces an IND-CCA secure KEM without using OTS.
Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson