Non-Interactive Key Exchange - Royal Holloway · sk A: x Zp pk A: X = gx 2G Bob sk B: y Zp pk B: Y...

Non-Interactive Key Exchange

Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz andKenneth G. Paterson

PKC 2013 - Nara, JapanMarch 1, 2013


Goal: Enabling two parties who know each other’s public key to agree on asymmetric shared key without requiring any interaction.

Classical example: Diffie-Hellman Key Exchange

Alice

skA : x ← Zp

pkA : X = gx ∈ G

Bob

skB : y ← Zp

pkB : Y = gy ∈ G

K = X y = Y x = gxy

Shared Key

Let G be a group of prime order p with generator g .

More properly, K = H(Alice,Bob, gxy ).

Non-Interactive Key Exchange Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson


Goal: Enabling two parties who know each other’s public key to agree on asymmetric shared key without requiring any interaction.

Classical example: Diffie-Hellman Key Exchange

Alice

skA : x ← Zp

pkA : X = gx ∈ G

Bob

skB : y ← Zp

pkB : Y = gy ∈ G

K = X y = Y x = gxy

Shared Key

Let G be a group of prime order p with generator g .

More properly, K = H(Alice,Bob, gxy ).


Formal Definition of NIKE

A NIKE scheme consists of 3 algorithms: CS, KG, SK

We consider an identity space IDS and a shared key space SHK

CS(1k) (Common Setup - run by a trusted authority)

output: set of system parameters par

KG(par, ID) (Key Generation - run by any user)

output: a pair of public key and private key (pk, sk)

SK(ID1, pk1, ID2, sk2) (Shared Key - run by any user)

output: either a shared key K1,2 ∈ SHK or ⊥this algorithm is assumed to always output ⊥ if ID1 = ID2

Correctness requirementWe require SK(ID1, pk1, ID2, sk2) = SK(ID2, pk2, ID1, sk1) for any pair ofidentities ID1, ID2 and corresponding key pairs (pk1, sk1) and (pk2, sk2).

Identities are used totrack which public keysare associated withwhich users.

We are not in theidentity-based setting!




























Applications of NIKE

wireless and sensor networksconserving battery is a prime concern

energy cost of communication must be minimisedminimising the number of bits to be transmitted is fundamental[CapGoePatQuaTowZaf] 1. evaluate the energy costs of interactive andnon-interactive key exchange 2. demonstrate that significant energysavings can be made by adopting a non-interactive approach

deniable authentication

[DodKatSmiWal09] explicitly requires a non-interactive key exchange

basis for interactive key exchange

[BoyMaoPat04] the shared key can be used in a MAC to authenticatean exchange of ephemeral Diffie-Hellman values

non-interactive designated verifier signature schemes

[JakSakImp96] again using the shared key in a MAC to authenticatemessages


Motivation

Why should we study NIKE?

NIKE is a fundamental cryptographic primitive, but has not receivedmuch attention

1976: major contribution in the ground-breaking paper of Diffie andHellman2008: [CasKilSho08] provides a basic security model for NIKE (theCKS model), analyses the Diffie-Hellman based scheme as well as avariant of it in the ROM2000: [SakOhgKas00] provides an ID-based NIKE secure in the ROM


Motivation

In practice, the public keys will be certified, and consideration needs to begiven to modelling the key registration process

There are different possible security models for NIKE - with andwithout dishonest key registration (DKR) of public keys

easy to get standard model security without DKR - does not reflecthow CAs actually operateeasy to get ROM security with DKR - e.g. Hashed Diffie-Hellman:K = H(Alice,Bob, g xy )

ChallengeWhat about standard model security with DKR?

coming next


Contributions of this work

new security models for NIKEwe provide different security models for NIKE and explore therelationships between them

we focus on adversarial key registration queries, which poses the maintechnical obstacle to achieve NIKE securitywe use as a starting point the CKS security model

constructions for secure NIKEa provably secure NIKE scheme in the standard model (our mainconstruction) - based on pairingsa provably secure scheme under the factoring assumption in the ROMChallenge

what about a factoring-based construction secure in thestandard model?

we obtain such a scheme under the additionalassumption that the adversary only registers valid public keys

conversion from NIKE to KEMwe show that a secure NIKE implies an IND-CCA secure PKE scheme

reflectsthe technical chal-

lenge involved inachieving

our DKRsecurity

notions






what about a factoring-based construction secure in thestandard model?we obtain such a scheme under the additionalassumption that the adversary only registers valid public keys




our DKRsecurity

notions






what about a factoring-based construction secure in thestandard model?we obtain such a scheme under the additionalassumption that the adversary only registers valid public keys




our DKRsecurity

notions


Security Models

The CKS security model

Adversary A Challenger Cpar

pk

K1,2

K∗

b

Reg.Hon(ID)

Reg.Cor(ID, pk)

ID 6= IDA, IDB

Corrupt Reveal(ID1, ID2)

{ID1, ID2} 6= {IDA, IDB}

Test(IDA, IDB)

par← CS(1k)

b ← {0, 1}(pk, sk)← KG(par, ID)

K1,2 ← SK(ID1, pk1, ID2, sk2)

(honest, ID, pk, sk)

(corrupt, ID, pk,⊥)

K∗ =

{KA,B if b = 0

random if b = 1

Queries may be made

adaptively and are

arbitrary in number.


Security Models

The CKS security model


pk

K1,2

K∗

b

Reg.Hon(ID)

Reg.Cor(ID, pk)

ID 6= IDA, IDB



Test(IDA, IDB)

par← CS(1k)

b ← {0, 1}(pk, sk)← KG(par, ID)

K1,2 ← SK(ID1, pk1, ID2, sk2)



K∗ =

{KA,B if b = 0

random if b = 1

Queries may be made

adaptively and are


Xminim

izes assump-

tions about the CA

7 omitssome

abilities of an ad-

versary


Security Models

The m-CKS-heavy security model

Adversary A Challenger C


Security Models



pk

sk

K1,2

K∗

b

Reg.Hon(ID)

Reg.Cor(ID, pk)

Extract(ID)

ID 6= IDA, IDB

Honest/



Test(IDA, IDB)

par← CS(1k)

b ← {0, 1}(pk, sk)← KG(par, ID)

K1,2 ← SK(ID1, pk1, ID2, sk2)




K∗ =

{KA,B if b = 0

random if b = 1

Queries may be made

adaptively and are



Security Models



pk

sk

K1,2

K∗

b

Reg.Hon(ID)

Reg.Cor(ID, pk)

Extract(ID)

ID 6= IDA, IDB

Honest/



Test(IDA, IDB)

par← CS(1k)

b ← {0, 1}(pk, sk)← KG(par, ID)

K1,2 ← SK(ID1, pk1, ID2, sk2)




K∗ =

{KA,B if b = 0

random if b = 1Queries may be made

adaptively and are



Security Models



pk

sk

K1,2

K∗

b

Reg.Hon(ID)

Reg.Cor(ID, pk)

Extract(ID)ID 6= IDA, IDB

Honest/


{ID1, ID2} 6= {IDA, IDB}Test(IDA, IDB)

par← CS(1k)

b ← {0, 1}(pk, sk)← KG(par, ID)

K1,2 ← SK(ID1, pk1, ID2, sk2)




K∗ =

{KA,B if b = 0

random if b = 1

Queries may be made

adaptively and are



Security Models and Their Relationships

Sec.Model Reg.Hon. Reg.Cor. Extract Hon.Reveal Cor.Reveal Test

CKS-light 2 X 7 7 X 1

CKS X X 7 7 X X

CKS-heavy X X X X X 1

m-CKS-heavy X X X X X X

CKS-light

CKS

CKS-heavy

m-CKS-heavy


Security Models and Their Relationships

Sec.Model Reg.Hon. Reg.Cor. Extract Hon.Reveal Cor.Reveal Test

CKS-light 2 X 7 7 X 1

CKS X X 7 7 X X

CKS-heavy X X X X X 1

m-CKS-heavy X X X X X X

CKS-lightCKS-light isthe simplest

security model!

CKS-light

CKS

CKS-heavy

m-CKS-heavy


NIKE in the Standard Model from Pairings - NIKEdbdh-2

Ingredients

Programmable Hash Function - PHF [HofKil08]

used to employ partitioning techniques (can be instantiated in thestandard model)maps a bitstring X to a group element PHF(X )a trapdoor allows to decompose PHF(X ) = g aX hbX for chosen g and ha PHF is (m, n)-programmable, if for all X1, . . . ,Xm 6= Z1, . . . ,Zn

Pr[aXi = 0 ∧ aZj 6= 0] is significant

Chameleon Hash Function - ChamH [KraRab00]

collision-resistant

hard to find (m1, r1) 6= (m2, r2) such thatChamH(m1, r1) = ChamH(m2, r2)

trapdoor collisions

given any pair (m1, r1) and a message m2, it is possible to find r2

(with use of a trapdoor ck) such that ChamH(m1, r1) = ChamH(m2, r2)

there exists: DL and RSA-based realizations

PHF(Xi ) = hbXi

PHF(Zj ) = gaZj h

bZj



Ingredients





collision-resistant


trapdoor collisions




PHF(Xi ) = hbXi

PHF(Zj ) = gaZj h

bZj



Ingredients





collision-resistant


trapdoor collisions




PHF(Xi ) = hbXi

PHF(Zj ) = gaZj h

bZj



Ingredients




Chameleon Hash Function - ChamH [KraRab00]collision-resistant


trapdoor collisions




PHF(Xi ) = hbXi

PHF(Zj ) = gaZj h

bZj



Component algorithms of NIKEdbdh-2

CS(1k)PG2 = (G1,G2,GT , g1, g2, p, e, ψ)← G2(1k)u0, u1, u2,S ← G∗1 ; hk, ck← Cham.KG(1k)par← (PG2, u0, u1, u2,S , hk)Return par

KG(par, ID)x ← Zp; r ← RCham; Z ← g x

2

t ← ChamHhk(Z ||ID, r); Y ← u0ut1u2

t2

; X ← Y x

pk ← (X ,Z , r); sk ← xReturn (pk , sk)

SK(ID1, pk1, ID2, sk2)If ID1 = ID2 return ⊥; Parse pk1 as (X1,Z1, r1) and sk2 as x2

t1 ← ChamHhk(Z1||ID1, r1)

If e(X1, g2) 6= e(u0ut11 u2

t12

,Z1)then K1,2 ←⊥else K1,2 ← e(Sx2 ,Z1)

Return K1,2

Security:DBDH-2assumption

DBDH-2assumption:Given(ga

2 , gb2 , g

c1 ,T ),

decide whetheror notT = e(g1, g2)abc .

Chameleonhash function

weak(2,poly)-PHF

validity checkof public key

Correctness:e(Sx2 ,Z1) = e(S, g2)x1x2






2


t2

; X ← Y x




If e(X1, g2) 6= e(u0ut11 u2

t12


Return K1,2



2 , gb2 , g

c1 ,T ),



weak(2,poly)-PHF








2


t2

; X ← Y x




If e(X1, g2) 6= e(u0ut11 u2

t12


Return K1,2



If e(X1, g2) 6= e(u0ut11 u2

t12


Return K1,2



2 , gb2 , g

c1 ,T ),



weak(2,poly)-PHF








2


t2

; X ← Y x




If e(X1, g2) 6= e(u0ut11 u2

t12


Return K1,2



2 , gb2 , g

c1 ,T ),



weak(2,poly)-PHF




Conclusion

Our contributions

new security models for NIKE

we provided new security models for NIKE and showed that they are allpolynomially equivalent to one another and to the original CKS model

constructions for secure NIKE

we gave constructions for secure NIKE in the ROM and in the standardmodel (under the challenging security notions with DKR)

conversion from NIKE to KEM

we showed that a secure NIKE implies an IND-CCA secure PKEscheme (showing the fundamental utility of NIKE)

Open problems

construct pairing-free NIKE schemes secure in the standard model

construct ID-based NIKE schemes secure in the standard model

consider three-party NIKE schemes based on Joux’s protocol


Conclusion

Our contributions

new security models for NIKE

we provided new security models for NIKE and showed that they are allpolynomially equivalent to one another and to the original CKS model

constructions for secure NIKE

we gave constructions for secure NIKE in the ROM and in the standardmodel (under the challenging security notions with DKR)

conversion from NIKE to KEM

we showed that a secure NIKE implies an IND-CCA secure PKEscheme (showing the fundamental utility of NIKE)

Open problems

construct pairing-free NIKE schemes secure in the standard model

construct ID-based NIKE schemes secure in the standard model

consider three-party NIKE schemes based on Joux’s protocol


Bibliography

[CasKilSho08] The twin Diffie-Hellman problem and applications.Cash, Kiltz and Shoup - Eurocrypt

[SakOhgKas00] Cryptosystems based on pairing. Sakai, Ohgishi andKasahara - SCIS

[HofKil08] Programmable hash functions and their applications.Hofheinz, Kiltz - CRYPTO

[KraRab00] Chameleon hash functions. Krawcykz, Rabin - NDSS

[CapGoePatQuaTowZaf] Signal-flow-based analysis of wirelesssecurity protocols. Capar, Goeckel, Paterson, Quaglia, Towsley, Zafer- Information and Computation (to appear)

[DodKatSmiWal09] Composability and on-line deniability ofauthentication. Dodis, Katz, Smith and Walfish - TCC

[BoyMaoPat04] Key agreement using statically keyed authenticators.Boyd, Mao and Paterson - ACNS

[JakSakImp96] Designated verifier proofs and their applications.Jakobsson, Sako and Impagliazzo - Eurocrypt


Thank you for your attention!


NIKE in the ROM from Factoring - NIKEfac

Hashed Diffie-Hellman in the group of signed quadratic residues

CS(1k)

(N,P,Q)← RSAgen(1k)g ← QR+

N , where 〈g〉 = QR+N

par← (H,N, g)Return par

KG(par, ID)

x ← ZbN/4c; X ← g x

pk ← X ; sk ← xReturn (pk , sk)

SK(ID1, pk1, ID2, sk2)

If (ID1 = ID2) or pk1 6∈ QR+N or pk2 6∈ QR+

N return ⊥else if

ID1 < ID2 return H(ID1, ID2, pk1sk2 )


Security:factoringassumption

N = PQis a Blum integer.

factoring ⇒double SDH

{|x | : x ∈ QRN},where |x | is the abs. valuewhen representing ele-ments of ZN as the set{−(N−1)/2, . . . , (N−1)/2}


NIKE in the ROM from Factoring - NIKEfac

Hashed Diffie-Hellman in the group of signed quadratic residues

CS(1k)

(N,P,Q)← RSAgen(1k)g ← QR+


par← (H,N, g)Return par

KG(par, ID)

x ← ZbN/4c; X ← g x

pk ← X ; sk ← xReturn (pk , sk)

SK(ID1, pk1, ID2, sk2)

If (ID1 = ID2) or pk1 6∈ QR+N or pk2 6∈ QR+

N return ⊥else if



Security:factoringassumption

N = PQis a Blum integer.

factoring ⇒double SDH

{|x | : x ∈ QRN},where |x | is the abs. valuewhen representing ele-ments of ZN as the set{−(N−1)/2, . . . , (N−1)/2}


NIKE in the Standard Model from Factoring* - NIKEfac-int

* with interactive key registration.

CS(1k)(N,P,Q)← RSAgen(1k)g , u0, u1, u2 ← QR+


hk, ck← Cham.KG(1k); par← (N, g , u0, u1, u2, hk)Return par

KG(par, ID)

x ← ZbN/4c; r ← RCham; Z ← g x·23k


t2

; X ← Y x

pk ← (Z ,X , r); sk ← xReturn (pk , sk)

SK(ID1, pk1, ID2, sk2)If (ID1 = ID2) or pk1 6∈ QR+

N ×QR+N ×RCham or

sk2 6∈ ZbN/4c return ⊥Parse pk1 =: (Z1,X1, r1) and sk2 =: x2

Return BBSN(Z x2·22k

1 )

Security:factoringassumption*

*the key registra-tion process mustensure that onlyconsistent keys areregistered, e.g.,by having the userprove consistency inzero-knowledge







KG(par, ID)



t2

; X ← Y x



N ×QR+N ×RCham or



1 )









KG(par, ID)



t2

; X ← Y x



N ×QR+N ×RCham or



1 )



Correctness:

Z x2·22k

1 = gx1·x2·25k= Z x1·22k

2







KG(par, ID)



t2

; X ← Y x



N ×QR+N ×RCham or



1 )




Key Encapsulation Mechanism - KEM

A KEM consists of 3 algorithms: KEM.KeyGen, Enc, Dec

KEM.KeyGen(1k) (a key generation algorithm)output: a pair of public key and private key (pkKEM, skKEM)

Enc(pkKEM) (a key encapsulation algorithm)output: an encapsulation key pair (K ,C ), where C is the encapsulationof key K

Dec(skKEM,C ) (a decapsulation algorithm)output: either the corresponding key K or an invalid encapsulationsymbol ⊥

One-Time Signatures (OTS): OTS = (OTSKeyGen, OTSSign, OTSVfy)

(vk , sigk)← OTSKeyGen(1k)

σ ← OTSSign(sigk ,m)

reject or acept ← OTSVfy(vk,m, σ)

Strong OTS: Given (m, σ), it is infeasible to ouput (m′, σ′) for whichσ′ is a valid signature on m′


Key Encapsulation Mechanism - KEM

A KEM consists of 3 algorithms: KEM.KeyGen, Enc, Dec

KEM.KeyGen(1k) (a key generation algorithm)output: a pair of public key and private key (pkKEM, skKEM)

Enc(pkKEM) (a key encapsulation algorithm)output: an encapsulation key pair (K ,C ), where C is the encapsulationof key K

Dec(skKEM,C ) (a decapsulation algorithm)output: either the corresponding key K or an invalid encapsulationsymbol ⊥

One-Time Signatures (OTS): OTS = (OTSKeyGen, OTSSign, OTSVfy)

(vk , sigk)← OTSKeyGen(1k)

σ ← OTSSign(sigk ,m)

reject or acept ← OTSVfy(vk ,m, σ)

Strong OTS: Given (m, σ), it is infeasible to ouput (m′, σ′) for whichσ′ is a valid signature on m′


IND-CCA KEM from CKS-secure NIKE - KEM(NIKE, OTS)

KEM.KeyGen(1k)

par← CS(1k); ID← IDS(pk, sk)← KG(par, ID)Output (pkKEM = (par, ID, pk), skKEM = (ID, sk))

Enc(pkKEM)

Parse pkKEM as (par, ID, pk)(vk , sigk)← OTSKeyGen(1k) with vk 6= ID(pk ′, sk ′)← KG(par, ID′ = vk); σ ← OTSSign(sigk , pk ′)K ← SK(ID, pk, ID′ = vk , sk ′)Output (K ,C = (vk , pk ′, σ))

Dec(skKEM,C )

Parse C as (vk , pk ′, σ) and skKEM as (ID, sk)Run OTSVfy(vk , pk ′, σ) and output

⊥ if the output is reject or if vk = IDSK(ID′ = vk, pk ′, ID, sk)

randomly generatedkey pair for NIKE

OTS binds pk ′ to ID′

ciphertext: randomlygenerated public key pk ′

shared key computed fromsk and pk ′


More Efficient NIKE to KEM Conversion

In the full version of our paper, we also provide a NIKE-KEMconversion that starts with a secure NIKE satisfying a simplifieddefinition and produces an IND-CCA secure KEM without using OTS.


Date post:	13-Apr-2019
Category:	Documents
Upload:	lytuyen
View:	212 times
Download:	0 times

Non-Interactive Key Exchange - Royal Holloway · sk A: x Zp pk A: X = gx 2G Bob sk B: y Zp pk B: Y...

Documents