Abstract
We introduce \(\textsf{Corr}\textsf{GapCDH}\), the Gap Computational Diffie-Hellman problem in the multi-user setting with Corruptions. In the random oracle model, our assumption tightly implies the security of the authenticated key exchange protocols \(\textsf{NAXOS}\) in the eCK model and (a simplified version of) \(\textsf{X3DH}\) without ephemeral key reveal. We prove hardness of \(\textsf{Corr}\textsf{GapCDH}\) in the generic group model, with optimal bounds matching the one of the discrete logarithm problem.
We also introduce \(\textsf{CorrCR}\textsf{GapCDH}\), a stronger Challenge-Response variant of our assumption. Unlike standard \(\textsf{GapCDH}\), \(\textsf{CorrCR}\textsf{GapCDH}\) implies the security of the popular AKE protocol HMQV in the eCK model, tightly and without rewinding. Again, we prove hardness of \(\textsf{CorrCR}\textsf{GapCDH}\) in the generic group model, with (almost) optimal bounds.
Our new results allow implementations of \(\textsf{NAXOS}\), \(\textsf{X3DH}\), and \(\textsf{HMQV}\) without having to adapt the group sizes to account for the tightness loss of previous reductions. As a side result of independent interest, we also obtain modular and simple security proofs from standard \(\textsf{GapCDH}\) with tightness loss, improving previously known bounds.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Our new and previously known bounds for \(\textsf{HMQV}\) in Fig. 2 are stated in the eCK model disallowing reflection attacks. The reason is that for reflection attacks, one additionally requires the hardness of Square Diffie-Hellman (i.e., compute \(g^{a^2}\) from \(g^a\)) which is non-tightly equivalent to \(\textsf{CDH}\). We remark that our generic group bounds from Fig. 3 can be shown in the full eCK model allowing reflection attacks.
- 2.
Even when dropping the session’s type from the definition of matching sessions (similar to the original CK model), giving a tight proof for the original version of HMQV seems non-trivial since patching the random oracle \(\textsf{H}\) requires more care. In particular, it is always necessary to check if the input corresponds to any session for which the adversary can potentially compute the key, but the reduction itself cannot. In order to handle these queries in a naive way, the reduction needs to query the \(\textsc {Ddh}\) oracle once for each session, leading to \(O(Q_{\textsf{H}}\cdot S)\) queries.
- 3.
On input \(g^x\), the squared \(\textsf{CDH}\) problem requires to compute \(g^{x^2}\).
- 4.
We could also show security of \(\textsf{HMQV}\) including reflection attacks under a variant of \(\textsf{CorrCR}\textsf{GapCDH}\) that does not restrict the winning condition on \(i\ne j\) and which can be reduced non-tightly to squared \(\textsf{GapCDH}\).
References
IEEE Standard Specifications for Public-Key Cryptography. IEEE Std 1363-2000, pp. 1–228 (2000). https://ieeexplore.ieee.org/document/891000
Abdalla, M., Bellare, M., Rogaway, P.: The oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9_12
Bader, C., Hofheinz, D., Jager, T., Kiltz, E., Li, Y.: Tightly-secure authenticated key exchange. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 629–658. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46494-6_26
Barthe, G., Crespo, J.M., Lakhnech, Y., Schmidt, B.: Mind the gap: modular machine-checked proofs of one-round key exchange protocols. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 689–718. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_23
Bellare, M., Dai, W.: The multi-base discrete logarithm problem: tight reductions and non-rewinding proofs for Schnorr identification and signatures. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds.) INDOCRYPT 2020. LNCS, vol. 12578, pp. 529–552. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65277-7_24
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 1993, pp. 62–73. ACM Press (1993). https://doi.org/10.1145/168588.168596
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28
Chatterjee, S., Koblitz, N., Menezes, A., Sarkar, P.: Another look at tightness II: practical issues in cryptography. Cryptology ePrint Archive, Report 2016/360 (2016). https://eprint.iacr.org/2016/360
Cohn-Gordon, K., Cremers, C., Gjøsteen, K., Jacobsen, H., Jager, T.: Highly efficient key exchange protocols with optimal tightness. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 767–797. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_25
Cremers, C.J.: Formally and practically relating the CK, CK-HMQV, and eCK security models for authenticated key exchange. Cryptology ePrint Archive, Report 2009/253 (2009). https://eprint.iacr.org/2009/253
Dowling, B., Rösler, P., Schwenk, J.: Flexible authenticated and confidential channel establishment (fACCE): analyzing the noise protocol framework. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12110, pp. 341–373. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45374-9_12
Fuchsbauer, G., Plouviez, A., Seurin, Y.: Blind Schnorr signatures and signed ElGamal encryption in the algebraic group model. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 63–95. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_3
Jager, T., Kiltz, E., Riepel, D., Schäge, S.: Tightly-secure authenticated key exchange, revisited. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 117–146. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_5
Kiltz, E., Masny, D., Pan, J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 33–61. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_2
Kiltz, E., Pan, J., Riepel, D., Ringerud, M.: Multi-user CDH problems and the concrete security of NAXOS and HMQV. Cryptology ePrint Archive, Report 2023/115 (2023). https://eprint.iacr.org/2023/115
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75670-5_1
Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28(2), 119–134 (2003). https://doi.org/10.1023/A:1022595222606
Marlinspike, M., Perrin, T.: The X3DH Key Agreement Protocol (2016). https://signal.org/docs/specifications/x3dh/x3dh.pdf
Maurer, U.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_1
Menezes, A., Qu, M., Vanstone, S.A.: Some new key agreement protocols providing mutual implicit authentication (1995)
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: 38th FOCS, pp. 458–467. IEEE Computer Society Press (1997). https://doi.org/10.1109/SFCS.1997.646134
Okamoto, T., Pointcheval, D.: The gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44586-2_8
Pan, J., Wang, L.: TMQV: a strongly eCK-secure Diffie-Hellman protocol without gap assumption. In: Boyen, X., Chen, X. (eds.) ProvSec 2011. LNCS, vol. 6980, pp. 380–388. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24316-5_27
Perrin, T.: The noise protocol framework (2017). http://noiseprotocol.org/noise.html
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000). https://doi.org/10.1007/s001450010003
Sarr, A.P., Elbaz–Vincent, P.: On the security of the (F)HMQV protocol. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 207–224. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31517-1_11
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18
Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Crypt. 46(3), 329–342 (2008). https://doi.org/10.1007/s10623-007-9159-1
Ustaoglu, B.: Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman protocols. In: Pieprzyk, J., Zhang, F. (eds.) ProvSec 2009. LNCS, vol. 5848, pp. 183–197. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04642-1_16
Yao, A.C.C., Zhao, Y.: OAKE: a new family of implicitly authenticated Diffie-Hellman protocols. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 1113–1128. ACM Press (2013). https://doi.org/10.1145/2508859.2516695
Zhao, S., Zhang, Q.: sHMQV: an efficient key exchange protocol for power-limited devices. Cryptology ePrint Archive, Report 2015/110 (2015). https://eprint.iacr.org/2015/110
Acknowledgments
We would like to thank the anonymous reviewers for their thoughtful and constructive comments. Eike Kiltz was supported by the Deutsche Forschungsgemeinschaft (DFG, German research Foundation) as part of the Excellence Strategy of the German Federal and State Governments - EXC 2092 CASA - 390781972, and by the European Union (ERC AdG REWORC - 101054911). Jiaxin Pan was supported by the Research Council of Norway under Project No. 324235. Doreen Riepel was funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kiltz, E., Pan, J., Riepel, D., Ringerud, M. (2023). Multi-user CDH Problems and the Concrete Security of NAXOS and HMQV. In: Rosulek, M. (eds) Topics in Cryptology – CT-RSA 2023. CT-RSA 2023. Lecture Notes in Computer Science, vol 13871. Springer, Cham. https://doi.org/10.1007/978-3-031-30872-7_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-30872-7_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30871-0
Online ISBN: 978-3-031-30872-7
eBook Packages: Computer ScienceComputer Science (R0)