Selected Papers: Research Activities in Laboratories of New Fellows Part II

New Paradigm for Practical without Random Oracles Tatsuaki Okamoto† Abstract This paper introduces a new paradigm for making various types of cryptographic primitives such as authenticated exchange and key encapsulation without random oracles under three assumptions: the decisional Diffie-Hellman assumption, target collision resistant hash functions, and a class of pseudo- random functions. It describes a new two-pass authenticated (AKE) protocol (based on the public key infrastructure model) that is comparable in efficiency to the most efficient of the existing protocols and secure (under these assumptions), whereas existing efficient two-pass AKE protocols are secure in the model. This protocol is shown to be secure in the (currently) strongest secu- rity definition, the extended Canetti-Krawczyk (eCK) security definition. This paper also describes a key encapsulation mechanism (KEM) that is secure against adaptive chosen attacks (i.e., CCA- secure) under these assumptions and almost as efficient as the Kurosawa-Desmedt KEM. The schemes presented this paper are validity-check-free, which implies that combining them with validity-check-free symmetric (data encryption mechanism) will yield validity-check-free (e.g., free of code) CCA-secure hybrid encryption.

1. Introduction The most common paradigm for designing practi- cal public-key cryptosystems that are secure in the The concept of public-key cryptosystems was standard model is to combine a introduced by Diffie and Hellman in 1976 to solve the (e.g., Diffie-Hellman or RSA (Rivest, Shamir, Adle- key agreement problem over insecure networks (like man) function) and target collision resistance (TCR) the Internet). The standard security notion of a pub- hash functions, where the security is proven under a lic-key (encryption) is security against trapdoor function assumption (e.g., DDH (decisional adaptive chosen ciphertext attacks (i.e., CCA-securi- Diffie-Hellman) or strong RSA assumption) and the ty), and there are two major methodologies for TCR hash function assumption [3]–[5]. This paper designing practical CCA-secure public-key encryp- introduces a new paradigm for designing practical tion: one is based on the random oracle model and the public-key cryptosystems, where a class of pseudo- other on the standard model. A CCA-secure scheme random functions (PRFs) PRFs with pairwise-inde- in the standard model provides a real security guaran- pendent random sources (πPRFs), is used in addition tee, whereas a CCA-secure scheme in the random to a trapdoor function (Diffie-Hellman function) and oracle model is guaranteed to be secure under unreal- TCR hash function. istic idealization of a hash function as an ideal ran- The concept of a PRF was introduced by Goldreich, dom function. One of the most important topics for Goldwasser, and Micali [6]. The PRF has been shown the last ten years has been to design a truly practical to exist if and only if a one-way function exists [6], public-key cryptosystems in the standard model*1. [7]. Therefore, the existence of a PRF is one of the weakest assumptions, so it is one of the most funda- † NTT Information Sharing Platform Laboratories Musashino-shi, 180-8585 Japan *1 For a general explanation of the standard model and random ora- Email: [email protected] cle model, see for example [1], [2].

 NTT Technical Review Selected Papers: Research Activities in Laboratories of New Fellows Part II

mental primitives in *2. 2. Preliminaries Since a TCR hash function (and the slightly more general concept of the universal one-way hash func- 2.1 Notation − tion) has also been shown to exist if and only if a is the set of natural numbers and is the set of one-way function exists [9], [10], the TCR hash func- real numbers. denotes a null string. − tion and PRF are on the same level as (the most) A function f : → is negligible in k, if for every fundamental primitives in cryptography. In practice, constant c > 0, there exists integer n such that f(k) < a well-designed efficient hash function can be k−c for all k > n. assumed to be a TCR hash function, and such a hash If A is a probabilistic machine or algorithm, A( ) function with a random as part of the input (or a denotes the random variable of A’s output on input . keyed hash function) can be assumed to be a PRF Then, ← A( ) denotes that is randomly selected (and a πPRF). from A( ) according to its distribution. If a is a value, Authenticated key exchange (AKE) protocols have A( ) → a denotes the event that A outputs a on input been extensively studied to enhance the security of . If A is a set, ← A denotes that is uniformly the Diffie-Hellman (DH) key exchange protocol, selected from A. If A is a value, ← A denotes that which was proposed in 1976, because the DH proto- is set to A. col is not secure against the man-in-the-middle In this paper, the underlying machines are consid- attack[11]–[17]. ered to be uniform Turing machines, but the results This paper presents a two-pass AKE protocol that can easily be extended to non-uniform Turing has the following properties. machines. 1. It is comparable in efficiency to MQV [16], HMQV [14], and CMQV [17] (the scheme’s 2.2 Decisional Diffie-Hellman (DDH) assump- message size for one party is that of MQV plus tion the size of three group elements, and the compu- Let k be a security parameter and be a group with tational complexity for a session of this scheme security parameter k, where the order of is prime p is around 3.7 group exponentiations, while that and |p| = k. Let { }k be the set of groups with secu- of MQV is around 2.2 group exponentiations). rity parameter k. 2. The assumption and model for its proof of secu- For all k∈ , we define the sets and as fol- rity are three assumptions (DDH, TCR hash lows: 2 function, and πPRF) and the standard model (not (k)←{( , 1, 2, 1, 2) | ← { }k, ( 1, 2) ← , the random oracle model). ← p} 3. Its underlying security definition is (currently) (k)←{( , 1, 2, 1, 2) | ← { }k, ( 1, 2, 1, 2) the strongest one: the extended Canetti-Krawc- ← 4}. zyk (eCK) security definition introduced by Let be a probabilistic polynomial-time machine. LaMacchia, Lauter and Mityagin [15]. For all k ∈ , we define the DDH advantage of as 4. Its security proof reduction efficiency is better (k) ← | Pr [ (1k, )→1| ← (k)] − Pr than those of previous protocols in the random [ (1k, ) → 1| ← (k)] |. oracle model. The DDH assumption for { }k∈ is: For any proba- This paper also presents a CCA-secure (i.e., secure bilistic polynomial-time adversary , (k) against adaptive chosen ciphertext attacks) key is negligible in k. encapsulation mechanism (KEM) under these assumptions that is almost as efficient as the Kuro- 2.3 Pseudo-random Function (PRF) sawa-Desmedt KEM [5]. Let k ∈ be a security parameter. A PRF family The schemes presented in this paper are validity- associated with { k}k∈ , { k}k∈ and { k}k∈ check-free, which implies validity-check-free (e.g., specifies two items: free of message authentication code (MAC-free)) – A family of random seeds { k}k∈ . CCA-secure hybrid encryption if they are combined – A family of PRFs indexed by k, ← k, ← with validity-check-free CCA-secure symmetric , ← k, and ← k, where each such encryption (data encryption mechanism (DEM)). function k, , , maps an element of to an ele- Therefore, their can be decrypted with no validity-check. *2 For a general explanation of cryptographic primitives, see for ex- ample [8].

Vol. 6 No. 1 Jan. 2008  Selected Papers

ment of . There must exist a deterministic poly- { k}k∈ specifies two items: nomial-time algorithm that on input 1k, , and , – A family of key spaces indexed by k. Each such outputs k, , , ( ). key space is a probability space of bit strings O Let be a probabilistic polynomial-time machine denoted by k. There must exist a probabilistic with oracle access to O. For all k, we define polynomial-time algorithm whose output distri- F k RF k k , (k) ←|Pr [ (1 , , )→1] − Pr[ (1 , bution on input 1 is equal to k. , ) → 1]|, – A family of hash functions indexed by k, h ← k, where ← k, ← , ← k, ← k, F ← ← k, and ← k, where each such func- k, , , k, , , and RF : → is a truly random function tion h maps an element of to an element of (∀ ∈ RF( ) ← ). . There must exist a deterministic polynomial- is a PRF family if, for any probabilistic polyno- time algorithm that on input 1k, h, and , outputs k, , mial-time adversary , , (k) is negligible h ( ). in k. Let be a probabilistic polynomial-time machine. For all k, we define * k , , 2.4 Pseudo-random function with pairwise-inde- , (k)←Pr [ ∈ =/ h k, , * k * pendent random sources (πPRF) ( ) = h ( )| ← (1 , , h, , )], * Here, we introduce a specific class of PRFs, where ← k, ← k, ← and h ← k. πPRFs. is a TCR hash function family if for any probabilistic Let k∈ be a security parameter and be a PRF polynomial-time adversary , , (k) is family associated with { k}k∈ , { k}k∈ , and negligible in k. { k}k∈ . We then define a πPRF family for . 2.6 PKI-based authenticated key exchange Let ← k, ← k, ← k, and RF: (AKE) and eCK security definition → be a truly random function (∀ ∈ RF( ) ← ). This section outlines the eCK security definition Let I be a set of indices regarding such that [16] for two-pass AKE protocols based on the public there exists a deterministic polynomial-time algo- key infrastructure (PKI) model and follows the rithm, f : I → , that on input i ∈I , outputs i ∈ description in [17]. . The eCK definition assumes that there are n parties, Let i0, i1, ..., it(k) be random variables indexed by which are modeled as probabilistic polynomial-time I , where ij ∈I ( j = 0, 1, ..., t(k)) and t(k) is a poly- Turing machines. We assume that these parties have nomial of k. Let i0 be pairwisely independent from agreed some common parameters (common refer- other variables, i1, ..., it(k) and each variable be uni- ence strings) in the AKE protocol before the protocol formly distributed over . That is, for any pair of ( is started. The parameter selection mechanism is out 2 i0, ij) ( j = 1, ..., t(k)), for any ( , ) ∈ , Pr[ i0 → of the scope of the AKE protocol and the (eCK) secu- 2 ij → ] = Pr[ i0 → ] . Pr[ ij → ] = 1/| | . rity model. Let F, I be a probabilistic polynomial-time Each party has a static public-private key pair machine that queries qj ∈ along with ij ∈I to F together with a certificate that binds the public key to k, , , and receives the reply (qj) for each j = 0, 1, that party. Aˆ (or Bˆ ) denotes the static public key A (or ij ..., t(k). B) of party ( ) together with a certificate. The cer- Let RF, I be the same as F, I except that k, , , tifying authority (CA) is not assumed to require par- ij (q0) is replaced by RF(q0). ties to prove possession of their static private keys, For all k, we define but the CA is required to verify that the static public F, I k πPRF , I , (k) ← |Pr[ (1 , , ) → 1] − key of a party belongs to the domain of public keys. Pr[ RF, I (1k, , ) → 1]|. Here, two parties exchange static public keys A, B is a πPRF family with index {(I , f )} ∈ k, k∈ and ephemeral public keys X, Y; the session key is if for any probabilistic polynomial-time adversary , obtained by combining A, B, X, Y and possibly ses- πPRF , I , (k) is negligible in k. sion identities. A party can be activated to execute an instance of the protocol called a session. Activa- 2.5 Target collision resistant (TCR) hash func- tion is made via an incoming message that has one of tion the following forms: ( Aˆ, Bˆ) or Bˆ, Aˆ, X). If was Let k∈ be a security parameter. A TCR hash func- activated with ( Aˆ, Bˆ), then is called the session tion family associated with { k}k∈ and initiator; otherwise, it is called the session responder.

 NTT Technical Review Selected Papers

Session initiator creates ephemeral public-private –  issues a ( ) query or a — — key pair (X, ) and sends ( Bˆ, Aˆ, X) to session respond- ( ) query (if exists), — er . then creates ephemeral public-private key pair –  exists and makes either of the following (Y, ) and sends ( Aˆ, Bˆ, X, Y) to . queries: The session of initiator with responder is iden- both ( ) and ˆ ˆ tified via session identifier ( A, B, X, Y), where and ( ) or are said to be the owner and peer of the session, both ( ) and — respectively. The session of responder with initiator ( ), — is identified as ( Bˆ, Aˆ, Y, X), where is the owner –  does not exist and makes either of the fol- and is the peer. Session ( Bˆ, Aˆ, Y, X) is said to be a lowing queries: ˆ ˆ matching session of ( A, B, X, Y). We say that a session both ( ) and is completed if its owner computes a session key. ( ) or ( ). The adversary is modeled as a probabilistic Now we are ready to the eCK security polynomial-time Turing machine and controls all notion. communications. Parties submit outgoing messages Definition 2. (eCK security) Let K* be the session key to the adversary, who makes decisions about their of the target session * that should be fresh, R*← {0, delivery. The adversary presents parties with incom- 1}|K*|, and b* ← {0, 1}. As a reply to ( *) query ing messages via (message), thereby controlling by , K* is given to if b* = 0; R*; otherwise, R* is the activation of sessions. In order to capture private given. Finally, outputs b ∈{0, 1}. We define information that may leak, adversary is allowed (k) ← |Pr[b = b*] − 1/2|. the following queries: A key exchange protocol is secure if the following –  ( ) The adversary obtains conditions hold: the ephemeral private key associated with session – If two honest parties complete matching sessions, . then they both compute the same session key (or –  ( ) The adversary obtains the both output an indication of protocol failure). session key for session , provided that the ses- – For any probabilistic polynomial-time adversary sion has a session key. , (k) is negligible in k. –  ( ) The adversary learns the This security definition is stronger than the original static private key of party . form of Canetti-Krawczyk security [11] and it simul- –  ( ) This query makes it possible taneously captures all the known desirable security for the adversary to register a static public key on properties for authenticated key exchange including behalf of a party. In this way, the adversary com- resistance to key-compromise impersonation attacks, pletely controls that party. weak perfect forward secrecy, and resilience to the If a party is established by ( ) leakage of ephemeral private keys. query issued by adversary , then we call the party dishonest. If a party is not dishonest, we call it hon- 2.7 Key encapsulation mechanism (KEM) est. A KEM scheme is the triplet of algorithms, = ( , The aim of adversary is to distinguish a session , ), where key from a random key. Formally, the adversary is 1.  , the key generation algorithm, is a probabilistic allowed to make a special query ( *), where * polynomial-time algorithm that takes a security is called the target session. The adversary is then parameter k∈ (provided in unary) and returns a given with equal probability either the session key K*, pair (pk, sk) of matching public and secret keys. held by *, or a random key R* ← {0, 1}|K*|. The 2.  , the key encryption algorithm, is a probabilistic adversary wins the game if he correctly guesses polynomial-time algorithm that takes as input whether the key is random or not. To define the game, public key pk and outputs a key/ciphertext pair we need the notion of a fresh session as follows: (K*, C*). Definition 1. (fresh session) Let be the session 3.  , the decryption algorithm, is a deterministic identifier of a completed session owned by an honest — polynomial time algorithm that takes as input party with peer , who is also honest. Let be the secret key sk and ciphertext C* and outputs key session identifier of the matching session of , if it K* or ⊥ (⊥ means that the ciphertext is invalid). exists. We define session to be fresh if none of the For all (pk, sk) output by key generation algorithm following conditions hold: and for all (K*, C*) output by key encryption algo-

Vol. 6 No. 1 Jan. 2008  Selected Papers

U 5 U 5 (a0, a1, a2, a3, a4) ← ( p) (b0, b1, b2, b3, b4) ← ( p) a1 a2 a3 a4 b1 b2 b3 b4 A1 ← 1 2 , A2 ← 1 2 , B1 ← 1 2 , B2 ← 1 2 , hA hB

~ ~ U k k ( 1, 2) ← {0, 1} × {0, 1} ˆ ~ k ( , 3) ←F 1 (1 ) ~ ~ +Fa~( 2) mod p ~ 4 (a ← i=0 ai mod p) X1 ← 1, X2 ← 2, 3 X3 ← 1 (Bˆ , Aˆ , X1, X2, X3) 3 (X1, X2, X3) ∈ ? ~ ~ U k k ( 1, 2) ← {0, 1} × {0, 1} ˆ ~ k ( , 3) ←F 1 (1 ) ~~ ~ +F b( 2) mod p ~ 4 (b ← i=0 bi mod p)

Y1 ← 1, Y2 ← 2 3 Y3 ← 1 3 (Aˆ , Bˆ , X1, X2, X3, Y1, Y2, Y3) (Y1, Y2, Y3) ∈ ? ˆ ˆ ˆ ˆ c ←HA (A , B , Y1, Y2, Y3) c ←HA (A , B , Y1, Y2, Y3) ˆ ˆ ˆ ˆ d ←HB (B , A , X1, X2, X3) d ←HB (B , A , X1, X2, X3) a1+ca3 a2+ca4. b1+db3 b2+db4. ←Y1 Y2 ←X1 X2 3 d 3 c Y3 B1B2 Y3 A1A2

K ← F ( ) K ← F ( )

ˆ ˆ 4 Here, ← (A , B , X1, X2, X3, Y1, Y2, Y3). and (A1, A2, B1, B2) ∈ is confirmed indirectly through the certificates.

Fig. 1. New AKE. rithm (pk), (sk, C*) = K* holds. Here, the length of We define the IND-CCA2 advantage of , the key |K*| is specified by l (k), where k is the secu- (k) ← |Pr[b = b*] − 1/2| in the above rity parameter. attack game. Let be an adversary. The attack game is defined We say that a KEM scheme is IND-CCA2-secure in terms of an interactive computation between (secure against adaptive chosen ciphertext attacks) if, adversary and its challenger . The challenger for any probabilistic polynomial-time adversary , responds to the oracle queries made by . The attack (k) is negligible in k. game (IND-CCA2 game) used to define security against adaptive chosen ciphertext attacks (IND- 3. New AKE protocol CCA2) is described below. 1. The challenger generates a pair of keys (pk, sk) 3.1 Protocol k ← (1 ) and gives pk to adversary . Let k∈ be a security parameter, let ← { }k be a 2 2. Repeat the following procedure q1(k) times, for group with security parameter k, and let ( 1, 2) ← , i = 1, . . . , q1(k), where q1(.) is a polynomial. where the order of is prime p and |p| = k. Let be submits string Ci to a decryption oracle, DO (in a TCR hash function family, Fˆ and F˜ be PRF families C), and DO returns sk (Ci) to . and be a πPRF family. 3.  submits the encryption query to C. The ( , 1, 2), , , ˜, and ˆ are the system parameters encryption oracle EO in C selects b* ← {0, 1} and common among all users of this AKE protocol computes (C*, K*) ← (pk) and returns (C*, K*) (although ˜ and ˆ can be set privately by each party). to if b* = 0 and (C*, K*) if b* = 1, where R* ← We assume that the system parameters are selected by {0, 1}|K*| (C* is called the target ciphertext). a trusted third party. 4. Repeat the following procedure q2(k) times, for Party ’s static private key is (a1, a2, a3, a4) ← ( 5 a1 a2 j = q1(k)+1, . . . , q1(k) + q2(k), where q2(.) is a p) and ’s static public key is A1 ← 1 2 , A2 ← a3 a4 polynomial. submits string Cj to a decryption 1 2 . Here, hA ← k indexes a TCR hash function k, DH, RH 4 oracle, DO (in ), subject only to the restriction HA ← h , where DH ← ∏ k × , H ← p, and * A that a submitted text Cj is not identical to C . DO ∏ k denotes the space of possible certificates for static returns sk (Cj) to . public keys. 5. outputs b ∈{0, 1}. Similarly, Party ’s static private key is (b0, b1, b2,

 NTT Technical Review Selected Papers

5 b1 b3, b4) ← ( p) and ’s static public key is B1 ← 1 {(I , f )} ∈{ }k, k∈ , where I ← {(V, W, d)|(V, W, b2 b3 b4 2 r1+dr2 2 , B2 ← 1 2 . Here, hB ← k indexes a TCR hash d) ∈ × p} and f : (V, W, d) V W with (r1, k, DH, RH 2 function HB ← h . r2) ← p. and set πPRF and PRFs F ← k, , , , F˜ k, , , k, , , ← F˜ F˜ F˜ F˜ and Fˆ ← Fˆ Fˆ Fˆ Fˆ, where ← , 4. New KEM scheme 2 10 k ← (∏ k) × , ← {0, 1} , ˜ ← p, ˜ ← k 2 k k {0, 1} , ˜ ←( p) , ˆ ← {0, 1} , ˆ ← {0, 1} , and 4.1 Scheme 2 ˆ ← ( p) . This section shows a CCA-secure KEM scheme. To establish a session key with party , party Let k∈ be a security parameter and let ← { }k be performs the following procedure. a group with security parameter k, where the order of k 1. Select an ephemeral private key (˜1, ˜2) ← {0, 1} is prime p and |p| = k. Let be a TCR hash function × {0, 1}k. family and be a PRF family. 4 ˆ k 2. Compute a˜ ← i=0 ai mod p ( , 3) ← F˜1 (1 ) Secret key: The secret key is sk←( 1, 2, 1, 2) ← ˜ 4 +F a˜ (˜2) mod p (as two-dimensional vectors) and p. 1 2 1 2 the ephemeral public key (X1 ← 1, X2 ← 2, X3 Public key: 1 ← , 2 ← , z ← 1 2 , ← 1 2 , 3 k, H, H k, , , ← 1 ). Note that the value of ( , 3) (and a˜) is H ← h and F ← , where h ← k, 2 only computed in a computation process of the H ← {pk} × (pk is a possible public-key value), 2 ephemeral public key from ephemeral and static H ← p, ← , ← {pk} × and ← {0, private keys. 1}k. 3. Erase ( , 3) and the whole computation history The public key is pk ← ( , 1, 2, z, , H, F). of the ephemeral public key. Encryption: Choose r ← p and compute ˆ ˆ r 4. Send ( B, A, X1, X2, X3) to . C1 ← 1, ˆ ˆ r Upon receiving ( B, A, X1, X2, X3), party verifies C2 ← 2, 3 that (X1, X2, X3) ∈ . If so, perform the following d ← H (z, , C1, C2) procedure. ← zr rd k 1. Select an ephemeral private key ( ˜1, ˜2) ← {0, 1} K ← F (pk, C1, C2). k × {0, 1} . (C1, C2) is a ciphertext and K is the secret key to be ˜ 4 ˆ k 2. Compute b ← i=0 bi mod p ( , 3) ← F ˜1 (1 ) + shared. F˜b˜ (˜2) mod p (as two-dimensional vectors) and Decryption: Given (z, , C1, C2), check whether 4 the ephemeral public key (Y1 ← 1, Y2 ← 2, Y3 (z, , C1, C2) ∈ . 3 ← 1 ) If it holds, compute 3. Erase ( , 3) and the whole computation history d ← H (z, , C1, C2) x1+ 1 x2+ 2 of the ephemeral public key. ← C1 C2 4. Send ( Aˆ, Bˆ, X1, X2, X3, Y1, Y2, Y3) to . K ← F (pk, C1, C2). Upon receiving(A ˆ, B ˆ, X1, X2, X3, Y1, Y2, Y3), party checks if he sent ( Bˆ, Aˆ, X1, X2, X3) to . If so, veri- 4.2 CCA security 3 fies that (Y1, Y2, Y3) ∈ . Theorem 2. To compute the session key, computes A ← The new KEM scheme is IND-CCA2-secure if the a1+ca3 a2+ca4 3 d b1+db3 Y1 Y2 Y3 B1B2 , and computes B ← X1 DDH assumption holds for { }k∈ , if H is a TCR hash function family, and if is a PRF family with b2+db4 3 c ˆ ˆ π X2 X3 A1A2 , where c ← HA( A, B, Y1, Y2, Y3) and d index {(I , f )} ∈{ }k, k∈ , where I ← {(V, W, d)|(V, 2 r +dr ← HB ( Bˆ, Aˆ, X1, X2, X3). W, d) ∈ × p} and f : (V, W, d) V 1 2W with 2 If they are correctly computed, then ← A (= B). (r1, r2) ← p. The session key is K ← F ( ), where ← ( Aˆ, Bˆ, X1, X2, X3, Y1, Y2, Y3). 5. Concluding remarks

3.2 Security This paper introduced a new paradigm for making Theorem 1. various types of cryptographic primitives such as The new AKE protocol is secure (in the sense of authenticated key exchange and key encapsulation Definition 2) if the DDH assumption holds for without random oracles under the three standard ˜ { } k∈ , where is a TCR hash function family, and assumptions: the DDH assumption, TCR hash func- ˆ are PRF families and is a πPRF family with index tions, and πPRFs. These schemes are secure without

Vol. 6 No. 1 Jan. 2008  Selected Papers

random oracles and almost as efficient as the most [13] T. Matsumoto, Y. Takashima, and H. Imai, “On Seeking Smart Public- key Distribution Systems,” Transactions of the IECE of Japan, efficient schemes secure in the random oracle model. E69:99–106, 1986. Therefore, they are good candidates for replacing [14] H. Krawczyk, “HMQV: A high-performance secure Diffie-Hellman practical schemes in the random oracle model and protocol,” Advances in Cryptology, Crypto 2005, Lecture Notes in *3 Computer Science, Vol. 3621, 2005. will have many practical applications [18]. http://eprint.iacr.org/2005/176. [15] B. LaMacchia, K. Lauter, and A. Mityagin, “Stronger security of References authenticated key exchange,” Cryptology ePrint Archive, Report 2006/073, 2006. http://eprint.iacr.org/2006/073. [1] http://en.wikipedia.org/wiki/Standard_Model_%28cryptography%29 [16] L. Law, A. Menezes, M. Qu, J. Solinas, and S. Vanstone, “An efficient [2] http://en.wikipedia.org/wiki/Random_oracle_model protocol for authenticated key agreement,” Designs, Codes and Cryp- [3] M. Abe, R. Gennaro, K. Kurosawa, and V. Shoup, “Tag-KEM/DEM: tography 28, pp. 119–134, 2003. A New Framework for Hybrid Encryption and New Analysis of Kuro- [17] B. Ustaoglu, “Obtaining a secure and efficient key agreement protocol sawa-Desmedt KEM,” Adv. in Cryptology, Eurocrypt 2005, Lecture from (H)MQV and NAXOS,” Cryptology ePrint Archive, Report Notes in Computer Science, Vol. 3494, pp. 128–146, 2005. 2007/123, 2007. [4] R. Cramer and V. Shoup, “Design and analysis of practical public-key http://eprint.iacr.org/2007/123 encryption schemes secure against adaptive chosen ciphertext attack,” [18] T. Okamoto, “Authenticated Key Exchange and Key Encapsulation SIAM Journal on Computing, Vol. 33, No. 1, pp. 167–226, 2003. without Random Oracles,” http:/eprint.iacr.org/2007/473 [5] K. Kurosawa and Y. Desmedt, “A New Paradigm of Hybrid Encryp- tion Scheme,” Advances in Cryptology, Crypto 2004, Lecture Notes in Computer Science,Vol. 3152, Springer-Verlag, pp. 426–442, 2004. [6] O. Goldreich, S. Goldwasser, and S. Micali, “How to Construct Ran- dom Functions.” Journal of the ACM, Vol. 33, No. 4, pp. 792–807, 1986. [7] J. Hastad, R. Impagliazzo, L. Levin, and M. Luby, “A Pseudorandom Generator from any One-way Function,” SIAM Journal on Comput- ing, Vol. 28, No. 4, pp. 1364–1396, 1999. [8] http://en.wikipedia.org/wiki/Cryptographic_primitive Tatsuaki Okamoto [9] M. Naor and M. Yung, “Universal one-way hash functions and their Research Fellow, Okamoto Research Labora- cryptographic applications,” Proceedings of the 21st Annual ACM tory, NTT Information Sharing Platform Labo- Symposium on Theory of Computing, pp. 33–43, 1989. ratories. He received the B.E., M.E., and Dr.Eng. [10] J. Rompel, “One-way functions are necessary and sufficient for secure degrees from University of Tokyo, Tokyo, in signatures. Proceedings of the 22nd Annual ACM Symposium on 1976, 1978, and 1988, respectively. He is a Theory of Computing, pp. 387–394, 1990. member of the Institute of Electronics, Informa- tion and Communication Engineers (IEICE) of [11] R. Canetti, and H. Krawczyk, “Analysis of key-exchange protocols Japan and International Association for Crypto- and their use for building secure channels,” Advances in Cryptology, logic Research. Eurocrypt 2001, Lecture Notes in Computer Science, Vol. 2045, 2001. http://eprint.iacr.org/2001/040. [12] A. Menezes, “Another look at HMQV,” Journal of Mathematical Cryptology 1, pp. 148–175, 2007.

*3 Detailed descriptions and proofs of the theorems are given in [18].

 NTT Technical Review