Selected Papers: Research Activities in Laboratories of New Fellows Part II New Paradigm for Practical Cryptosystems without Random Oracles Tatsuaki Okamoto† Abstract This paper introduces a new paradigm for making various types of cryptographic primitives such as authenticated key exchange and key encapsulation without random oracles under three assumptions: the decisional Diffie-Hellman assumption, target collision resistant hash functions, and a class of pseudo- random functions. It describes a new two-pass authenticated key exchange (AKE) protocol (based on the public key infrastructure model) that is comparable in efficiency to the most efficient of the existing protocols and secure (under these assumptions), whereas existing efficient two-pass AKE protocols are secure in the random oracle model. This protocol is shown to be secure in the (currently) strongest secu- rity definition, the extended Canetti-Krawczyk (eCK) security definition. This paper also describes a key encapsulation mechanism (KEM) that is secure against adaptive chosen ciphertext attacks (i.e., CCA- secure) under these assumptions and almost as efficient as the Kurosawa-Desmedt KEM. The schemes presented this paper are validity-check-free, which implies that combining them with validity-check-free symmetric encryption (data encryption mechanism) will yield validity-check-free (e.g., free of message authentication code) CCA-secure hybrid encryption. 1. Introduction The most common paradigm for designing practi- cal public-key cryptosystems that are secure in the The concept of public-key cryptosystems was standard model is to combine a trapdoor function introduced by Diffie and Hellman in 976 to solve the (e.g., Diffie-Hellman or RSA (Rivest, Shamir, Adle- key agreement problem over insecure networks (like man) function) and target collision resistance (TCR) the Internet). The standard security notion of a pub- hash functions, where the security is proven under a lic-key cryptosystem (encryption) is security against trapdoor function assumption (e.g., DDH (decisional adaptive chosen ciphertext attacks (i.e., CCA-securi- Diffie-Hellman) or strong RSA assumption) and the ty), and there are two major methodologies for TCR hash function assumption [3]–[5]. This paper designing practical CCA-secure public-key encryp- introduces a new paradigm for designing practical tion: one is based on the random oracle model and the public-key cryptosystems, where a class of pseudo- other on the standard model. A CCA-secure scheme random functions (PRFs) PRFs with pairwise-inde- in the standard model provides a real security guaran- pendent random sources (πPRFs), is used in addition tee, whereas a CCA-secure scheme in the random to a trapdoor function (Diffie-Hellman function) and oracle model is guaranteed to be secure under unreal- TCR hash function. istic idealization of a hash function as an ideal ran- The concept of a PRF was introduced by Goldreich, dom function. One of the most important topics for Goldwasser, and Micali [6]. The PRF has been shown the last ten years has been to design a truly practical to exist if and only if a one-way function exists [6], public-key cryptosystems in the standard model*. [7]. Therefore, the existence of a PRF is one of the weakest assumptions, so it is one of the most funda- † NTT Information Sharing Platform Laboratories Musashino-shi, 80-8585 Japan * For a general explanation of the standard model and random ora- Email: [email protected] cle model, see for example [], [2]. NTT Technical Review Selected Papers: Research Activities in Laboratories of New Fellows Part II mental primitives in cryptography*2. 2. Preliminaries Since a TCR hash function (and the slightly more general concept of the universal one-way hash func- 2.1 Notation − tion) has also been shown to exist if and only if a is the set of natural numbers and is the set of one-way function exists [9], [0], the TCR hash func- real numbers. denotes a null string. − tion and PRF are on the same level as (the most) A function f : → is negligible in k, if for every fundamental primitives in cryptography. In practice, constant c > 0, there exists integer n such that f(k) < a well-designed efficient hash function can be k−c for all k > n. assumed to be a TCR hash function, and such a hash If A is a probabilistic machine or algorithm, A( ) function with a random seed as part of the input (or a denotes the random variable of A’s output on input . keyed hash function) can be assumed to be a PRF Then, ← A( ) denotes that is randomly selected (and a πPRF). from A( ) according to its distribution. If a is a value, Authenticated key exchange (AKE) protocols have A( ) → a denotes the event that A outputs a on input been extensively studied to enhance the security of . If A is a set, ← A denotes that is uniformly the Diffie-Hellman (DH) key exchange protocol, selected from A. If A is a value, ← A denotes that which was proposed in 976, because the DH proto- is set to A. col is not secure against the man-in-the-middle In this paper, the underlying machines are consid- attack[]–[7]. ered to be uniform Turing machines, but the results This paper presents a two-pass AKE protocol that can easily be extended to non-uniform Turing has the following properties. machines. It is comparable in efficiency to MQV [6], HMQV [4], and CMQV [7] (the scheme’s 2.2 Decisional Diffie-Hellman (DDH) assump- message size for one party is that of MQV plus tion the size of three group elements, and the compu- Let k be a security parameter and be a group with tational complexity for a session of this scheme security parameter k, where the order of is prime p is around 3.7 group exponentiations, while that and |p| = k. Let { }k be the set of groups with secu- of MQV is around 2.2 group exponentiations). rity parameter k. 2. The assumption and model for its proof of secu- For all k∈ , we define the sets and as fol- rity are three assumptions (DDH, TCR hash lows: 2 function, and πPRF) and the standard model (not (k)←{( , , 2, , 2) | ← { }k, ( , 2) ← , the random oracle model). ← p} 3. Its underlying security definition is (currently) (k)←{( , , 2, , 2) | ← { }k, ( , 2, , 2) the strongest one: the extended Canetti-Krawc- ← 4}. zyk (eCK) security definition introduced by Let be a probabilistic polynomial-time machine. LaMacchia, Lauter and Mityagin [5]. For all k ∈ , we define the DDH advantage of as 4. Its security proof reduction efficiency is better (k) ← | Pr [ (k, )→| ← (k)] − Pr than those of previous protocols in the random [ (k, ) → | ← (k)] |. oracle model. The DDH assumption for { }k∈ is: For any proba- This paper also presents a CCA-secure (i.e., secure bilistic polynomial-time adversary , (k) against adaptive chosen ciphertext attacks) key is negligible in k. encapsulation mechanism (KEM) under these assumptions that is almost as efficient as the Kuro- 2.3 Pseudo-random Function (PRF) sawa-Desmedt KEM [5]. Let k ∈ be a security parameter. A PRF family The schemes presented in this paper are validity- associated with { k}k∈ , { k}k∈ and { k}k∈ check-free, which implies validity-check-free (e.g., specifies two items: free of message authentication code (MAC-free)) – A family of random seeds { k}k∈ . CCA-secure hybrid encryption if they are combined – A family of PRFs indexed by k, ← k, ← with validity-check-free CCA-secure symmetric , ← k, and ← k, where each such encryption (data encryption mechanism (DEM)). function k, , , maps an element of to an ele- Therefore, their ciphertexts can be decrypted with no validity-check. *2 For a general explanation of cryptographic primitives, see for ex- ample [8]. Vol. 6 No. 1 Jan. 2008 2 Selected Papers ment of . There must exist a deterministic poly- { k}k∈ specifies two items: nomial-time algorithm that on input k, , and , – A family of key spaces indexed by k. Each such outputs k, , , ( ). key space is a probability space of bit strings O Let be a probabilistic polynomial-time machine denoted by k. There must exist a probabilistic with oracle access to O. For all k, we define polynomial-time algorithm whose output distri- F k RF k k , (k) ←|Pr [ ( , , )→] − Pr[ ( , bution on input is equal to k. , ) → ]|, – A family of hash functions indexed by k, h ← k, where ← k, ← , ← k, ← k, F ← ← k, and ← k, where each such func- k, , , k, , , and RF : → is a truly random function tion h maps an element of to an element of (∀ ∈ RF( ) ← ). There must exist a deterministic polynomial- is a PRF family if, for any probabilistic polyno- time algorithm that on input k, h, and , outputs k, , mial-time adversary , , (k) is negligible h ( ). in k. Let be a probabilistic polynomial-time machine. For all k, we define * k , , 2.4 Pseudo-random function with pairwise-inde- , (k)←Pr [ ∈ =/ h k, , * k * pendent random sources (πPRF) ( ) = h ( )| ← ( , , h, , )], * Here, we introduce a specific class of PRFs, where ← k, ← k, ← and h ← k. πPRFs. is a TCR hash function family if for any probabilistic Let k∈ be a security parameter and be a PRF polynomial-time adversary , , (k) is family associated with { k}k∈ , { k}k∈ , and negligible in k. { k}k∈ . We then define a πPRF family for . 2.6 PKI-based authenticated key exchange Let ← k, ← k, ← k, and RF: (AKE) and eCK security definition → be a truly random function (∀ ∈ RF( ) ← ). This section outlines the eCK security definition Let I be a set of indices regarding such that [6] for two-pass AKE protocols based on the public there exists a deterministic polynomial-time algo- key infrastructure (PKI) model and follows the rithm, f : I → , that on input i ∈I , outputs i ∈ description in [7].
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages7 Page
-
File Size-