Skip to main content
Springer Nature Link
Log in

Towards Tight Adaptive Security of Non-interactive Key Exchange

  • Conference paper
  • First Online:
Theory of Cryptography (TCC 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13044))

Included in the following conference series:

  • 831 Accesses

Abstract

We investigate the quality of security reductions for non-interactive key exchange (NIKE) schemes. Unlike for many other cryptographic building blocks (like public-key encryption, signatures, or zero-knowledge proofs), all known NIKE security reductions to date are non-tight, i.e., lose a factor of at least the number of users in the system. In that sense, NIKE forms a particularly elusive target for tight security reductions.

The main technical obstacle in achieving tightly secure NIKE schemes are adaptive corruptions. Hence, in this work, we explore security notions and schemes that lie between selective security and fully adaptive security. Concretely:

We exhibit a tradeoff between key size and reduction loss. We show that a tighter reduction can be bought by larger public and secret NIKE keys. Concretely, we present a simple NIKE scheme with a reduction loss of \(O(N^2\log (\nu )/\nu ^2)\), and public and secret keys of \(O(\nu )\) group elements, where \(N\) denotes the overall number of users in the system, and \(\nu \) is a freely adjustable scheme parameter.

Our scheme achieves full adaptive security even against multiple “test queries” (i.e., adversarial challenges), but requires keys of size \(O(N)\) to achieve (almost) tight security under the matrix Diffie-Hellman assumption. Still, already this simple scheme circumvents existing lower bounds.

We show that this tradeoff is inherent. We contrast the security of our simple scheme with a lower bound for all NIKE schemes in which shared keys can be expressed as an “inner product in the exponent”. This result covers the original Diffie-Hellman NIKE scheme, as well as a large class of its variants, and in particular our simple scheme. Our lower bound gives a tradeoff between the “dimension” of any such scheme (which directly corresponds to key sizes in existing schemes), and the reduction quality. For \(\nu =O(N)\), this shows our simple scheme and reduction optimal (up to a logarithmic factor).

We exhibit a tradeoff between security and key size for tight reductions. We show that it is possible to circumvent the inherent tradeoff above by relaxing the desired security notion. Concretely, we consider the natural notion of semi-adaptive security, where the adversary has to commit to a single test query after seeing all public keys. As a feasibility result, we bring forward the first scheme that enjoys compact public keys and tight semi-adaptive security under the conjunction of the matrix Diffie-Hellman and learning with errors assumptions.

We believe that our results shed a new light on the role of adaptivity in NIKE security, and also illustrate the special role of NIKE when it comes to tight security reductions.

D. Hofheinz and R. Langrehr—Supported in part by ERC CoG grant 724307.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    In this work, we focus on the public-key setting, i.e., we assume a public-key infrastructure. We note, however, that NIKE has also been considered in the identity-based setting [17, 33, 38].

  2. 2.

    This means that we can currently only map NIKE adversaries with success probability \(\varepsilon \) and runtime \(t\) to adversaries on a suitable computational assumption with runtime \(t'\approx t\) but success probability no more than \(\varepsilon '\approx \varepsilon /N\).

  3. 3.

    In a nutshell, the meta-reduction extracts enough shared keys from \(\varLambda \) to take the role of a successful adversary in a rewound \(\varLambda \)-instance. If \(\varLambda \) is “too successful”, this causes \(\varLambda \) to solve the underlying computational problem with these extracted keys. Hence, \(\varLambda \) solves the underlying problem essentially by interacting with itself.

  4. 4.

    For our results we require uniqueness of a corresponding public key vector given the public key, which holds for all DH-based schemes from the literature including our first NIKE.

  5. 5.

    To capture adversaries with arbitrary success probability \(\varepsilon _\mathcal {A} \), the hypothetical adversary can simply flip a biased coin and only output the shared key with probability \(\varepsilon _\mathcal {A} \).

  6. 6.

    Even though only one secret key is necessary to compute the shared key, we can only be sure that the reduction is committed to the shared key when given both secret keys, since the reduction could switch to a semi-functional public key (without valid secret key).

  7. 7.

    This is a slight oversimplification. In fact, programming requires to also make public keys semi-functional, as in the security proof of \({\mathtt {NIKE}} _\mathsf {ip}\) sketched above. Our formal programmability definition will allow for such adjustments during programming.

  8. 8.

    This is again an oversimplification: for a particular choice of tag, one involved party \(P_i\) will not be able to compute the TNIKE shared key, while the other party \(P_j\) will be able to compute a shared key that depends on entropy in \(P_j\)’s secret key.

  9. 9.

    In this overview, we neglect the fact that \(\tau \) should be a small scalar. Our full scheme will actually encrypt \(\tau \) bitwise.

  10. 10.

    We note that to obtain tight security at this point, we will temporarily switch the used FHE scheme into a lossy mode of encryption [3, 22].

  11. 11.

    They correctly prove that \(\mathcal {U} _{\ell ,k}\hbox {-}\mathsf {MDDH}\) is tightly equivalent to \(\mathcal {U} _{k}\hbox {-}\mathsf {MDDH}\), but the proof can not show that Q-fold \(\mathcal {U} _{\ell ,k}\hbox {-}\mathsf {MDDH}\) is tightly equivalent to Q-fold \(\mathcal {U} _{k}\hbox {-}\mathsf {MDDH}\).

  12. 12.

    For simplicity of this explanation we assume for now that such a set of keys exists, but stress that our results do not rely on it.

References

  1. Bader, C., Hofheinz, D., Jager, T., Kiltz, E., Li, Y.: Tightly-secure authenticated key exchange. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 629–658. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46494-6_26

    Chapter  Google Scholar 

  2. Bader, C., Jager, T., Li, Y., Schäge, S.: On the impossibility of tight cryptographic reductions. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 273–304. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_10

    Chapter  Google Scholar 

  3. Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_1

    Chapter  Google Scholar 

  4. Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054117

    Chapter  Google Scholar 

  5. Boneh, D., Zhandry, M.: Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 480–499. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_27

    Chapter  Google Scholar 

  6. Boyd, C., Mao, W., Paterson, K.G.: Key agreement using statically keyed authenticators. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 248–262. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24852-1_18

    Chapter  Google Scholar 

  7. Boyen, X., Mei, Q.: BrentWaters. Direct chosen ciphertext security from identity-based techniques. In: Atluri, V., Meadows, C., Juels, J. (eds.) ACM CCS 2005. ACM Press, November 2005, pp. 320–329. https://doi.org/10.1145/1102120.1102162

  8. Capar, C., Goeckel, D., Paterson, K.G., Quaglia, E.A., Towsley, D., Zafer, M.: Signal-flow-based analysis of wireless security protocols. Inf. Comput. 226, 37–56 (2013). https://doi.org/10.1016/j.ic.2013.03.004

    Article  MathSciNet  MATH  Google Scholar 

  9. Cash, D., Kiltz, E., Shoup, V.: The Twin Diffie-Hellman problem and applications. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_8

    Chapter  Google Scholar 

  10. Coron, J.-S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_14

    Chapter  Google Scholar 

  11. Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_18

    Chapter  Google Scholar 

  12. Cramer, R., et al.: Bounded CCA2-secure encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 502–518. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_31

    Chapter  Google Scholar 

  13. Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_4

    Chapter  Google Scholar 

  14. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)

    Article  MathSciNet  Google Scholar 

  15. Dodis, Y., Katz, J., Smith, A., Walfish, S.: Composability and on-line deniability of authentication. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 146–162. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_10

    Chapter  MATH  Google Scholar 

  16. Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)

    Article  MathSciNet  Google Scholar 

  17. Dupont, R., Enge, A.: Provably secure non-interactive key distribution based on pairings. Discrete Appl. Math. 154(2), 270–276 (2006)

    Article  MathSciNet  Google Scholar 

  18. Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for diffie-hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_8

    Chapter  Google Scholar 

  19. Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.G.: Non-interactive key exchange. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 254–271. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_17

    Chapter  MATH  Google Scholar 

  20. Gay, R., Hofheinz, D., Kiltz, E., Wee, H.: Tightly CCA-secure encryption without pairings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 1–27. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_1

    Chapter  Google Scholar 

  21. Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5

    Chapter  Google Scholar 

  22. Gorbunov, S., Vaikuntanathan, V., Wichs, D.: Leveled fully homomorphic signatures from standard lattices. In: Servedio, R.A., Rubinfeld, R. (eds.) 47th ACM STOC, pp. 469–477. ACM Press, June 2015. https://doi.org/10.1145/2746539.2746576

  23. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_24

    Chapter  Google Scholar 

  24. Guo, S., Kamath, P., Rosen, A., Sotiraki, K.: Limits on the efficiency of (ring) LWE based non-interactive key exchange. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 374–395. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_13

    Chapter  Google Scholar 

  25. Hesse, J., Hofheinz, D., Kohl, L.: On tightly secure non-interactive key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 65–94. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_3

    Chapter  Google Scholar 

  26. Hofheinz, D., Jager, T.: Tightly secure signatures and public-key encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_35

    Chapter  Google Scholar 

  27. Hofheinz, D., Kiltz, E., Shoup, V.: Practical Chosen Ciphertext Secure Encryption from Factoring. J. Cryptol. 26(1), 102–118 (2011). https://doi.org/10.1007/s00145-011-9115-0

    Article  MathSciNet  MATH  Google Scholar 

  28. Kiltz, E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_30

    Chapter  Google Scholar 

  29. Langrehr, R., Pan, J.: Tightly secure hierarchical identity-based encryption. J. Cryptol. 33(4), 1787–1821 (2020). https://doi.org/10.1007/s00145-020-09356-x

    Article  MathSciNet  MATH  Google Scholar 

  30. Lewko, A., Waters, B.: Why Proving HIBE systems secure is difficult. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 58–76. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_4

    Chapter  Google Scholar 

  31. Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41

    Chapter  Google Scholar 

  32. Naor, M., Reingold, M., Rosen, A.: Pseudo-random functions and factoring (extended abstract). In: 32nd ACM STOC. ACM Press, pp. 11–20, May 2000. https://doi.org/10.1145/335305.335307

  33. Paterson, K.G., Srinivasan, S.: Building Key-private public-key encryption schemes. In: Boyd, C., González Nieto, J. (eds.) ACISP 2009. LNCS, vol. 5594, pp. 276–292. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02620-1_20

    Chapter  Google Scholar 

  34. Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: 40th ACM STOC. Ladner, R.E., Dwork, C. (eds.) ACM Press, May 2008, pp. 187–196. https://doi.org/10.1145/1374376.1374406

  35. Pointcheval, D., Sanders, O.: Forward secure non-interactive key exchange. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 21–39. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10879-7_2

    Chapter  Google Scholar 

  36. Regev, O.: Quantum computation and lattice problems. In: 43rd FOCS. IEEE Computer Society Press, Nov. 2002, pp. 520–529. https://doi.org/10.1109/SFCS.2002.1181976

  37. Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B., (eds.) 46th ACM STOC, pp. 475–484. ACM Press (2014). https://doi.org/10.1145/2591796.2591825

  38. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: SCIS 2000. Okinawa, Japan, January 2000

    Google Scholar 

  39. Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBM Research Europe - Zurich, Rüschlikon, Switzerland

    Julia Hesse

  2. ETH Zurich, Zürich, Switzerland

    Dennis Hofheinz & Roman Langrehr

  3. Cryptology Group, CWI Amsterdam, Amsterdam, The Netherlands

    Lisa Kohl

Authors
  1. Julia Hesse
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dennis Hofheinz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lisa Kohl
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Roman Langrehr
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Roman Langrehr .

Editor information

Editors and Affiliations

  1. Georgetown University, Washington, WA, USA

    Kobbi Nissim

  2. The University of Texas at Austin, Austin, TX, USA

    Brent Waters

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hesse, J., Hofheinz, D., Kohl, L., Langrehr, R. (2021). Towards Tight Adaptive Security of Non-interactive Key Exchange. In: Nissim, K., Waters, B. (eds) Theory of Cryptography. TCC 2021. Lecture Notes in Computer Science(), vol 13044. Springer, Cham. https://doi.org/10.1007/978-3-030-90456-2_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-90456-2_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-90455-5

  • Online ISBN: 978-3-030-90456-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships