Abstract
In two-message authenticated key exchange (AKE), it is necessary for the initiator to keep a round state after sending the first round-message, because he/she has to derive his/her session key after receiving the second round-message. Up to now almost all two-message AKEs constructed from public-key encryption (PKE) only achieve weak security which does not allow the adversary obtaining the round state. How to support state reveal to obtain a better security called IND-AA security has been an open problem proposed by Hövelmann et al. (PKC 2020).
In this paper, we solve the open problem with a generic construction of two-message AKE from any CCA-secure Tagged Key Encapsulation Mechanism (TKEM). Our AKE supports state reveal and achieves IND-AA security. Given the fact that CCA-secure public-key encryption (PKE) implies CCA-secure TKEM, our AKE can be constructed from any CCA-secure PKE with proper message space. The abundant choices for CCA-secure PKE schemes lead to many IND-AA secure AKE schemes in the standard model. Moreover, following the online-extractability technique in recent work by Don et al. (Eurocrypt 2022), we can extend the Fujisaki-Okamoto transformation to transform any CPA-secure PKE into a CCA-secure Tagged KEM in QROM. Therefore, we obtain the first generic construction of IND-AA secure two-message AKE from CPA-secure PKE in QROM. This construction does not need any signature scheme, and this result is especially helpful in the post-quantum world, since the current quantum-secure PKE schemes are much more efficient than their signature counterparts.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In our final generic construction of AKE, we use tagged KEM to generate \(c_1\) with identity as the tag. Here PKE is only specific construction of tagged KEM.
References
Abe, M., Gennaro, R., Kurosawa, K.: Tag-KEM/DEM: a new framework for hybrid encryption. J. Cryptol. 21(1), 97–130 (2008). https://doi.org/10.1007/s00145-007-9010-x
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Bindel, N., Hamburg, M., Hövelmanns, K., Hülsing, A., Persichetti, E.: Tighter proofs of CCA security in the quantum random oracle model. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 61–90. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_3
Boyd, C., Cliff, Y., Gonzalez Nieto, J., Paterson, K.G.: Efficient one-round key exchange in the standard model. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 69–83. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70500-0_6
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Online-extractability in the quantum random-oracle model. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13277, pp. 677–706. SPringer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_24
Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 467–484. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_28
Han, S., et al.: Authenticated key exchange and signatures with tight security in the standard model. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 670–700. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_23
Hashimoto, K., Katsumata, S., Kwiatkowski, K., Prest, T.: An efficient and generic construction for signal’s handshake (X3DH): post-quantum, state leakage secure, and deniable. In: Garay, J.A. (ed.) PKC 2021. LNCS, vol. 12711, pp. 410–440. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75248-4_15
Hövelmanns, K., Kiltz, E., Schäge, S., Unruh, D.: Generic authenticated key exchange in the quantum random oracle model. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 389–422. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_14
Huguenin-Dumittan, L., Vaudenay, S.: On IND-qCCA security in the ROM and its applications - CPA security is sufficient for TLS 1.3. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13277, pp. 613–642. Springer, Cham (2022)
Information security-Key management-Part 3: Mechanisms using asymmetric techniques. Standard, International Organization for Standardization (2021). https://www.iso.org/standard/82709.html
Jager, T., Kiltz, E., Riepel, D., Schäge, S.: Tightly-secure authenticated key exchange, revisited. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 117–146. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_5
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
Lyu, Y., Liu, S.: Two-message authenticated key exchange from public-key encryption. Cryptology ePrint Archive, Paper 2023/706 (2023). https://eprint.iacr.org/2023/706
Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_4
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: STOC 2009 (2009). https://doi.org/10.1145/1536414.1536461
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005 (2005). https://doi.org/10.1145/1060590.1060603
Schwabe, P., Stebila, D., Wiggers, T.: Post-quantum TLS without handshake signatures. In: CCS 2020 (2020). https://doi.org/10.1145/3372297.3423350
Xue, H., Lu, X., Li, B., Liang, B., He, J.: Understanding and constructing AKE via double-key key encapsulation mechanism. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 158–189. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_6
Zhandry, M.: A note on the quantum collision and set equality problems. Quantum Inf. Comput. 15(7 &8), 557–567 (2015). https://doi.org/10.26421/QIC15.7-8-2
Acknowledgements
We would like to thank the reviewers for their valuable comments. This work was partially supported by National Natural Science Foundation of China under Grant 61925207, Guangdong Major Project of Basic and Applied Basic Research (2019B030302008), and the National Key R &D Program of China under Grant 2022YFB2701500.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A PRG, PRF, One-Wayness and TCR of Hash Function
Definition 11
(PRG). Pseudo-Random Generator (PRG) is a polynomially computable deterministic function \(\textsf{PRG}: \mathcal {K}\rightarrow \mathcal {K}'\), where \(\mathcal {K}\) is seed space and \(\mathcal {K}'\) is output space with \(|\mathcal {K}| < |\mathcal {K}'|\). The pseudo-randomness of \(\textsf{PRG}\) requires \(\textsf{Adv}_{\textsf{PRG}}^{\textsf{ps}}(\mathcal {A})=\textsf{negl}(\lambda )\) for all PPT \(\mathcal {A}\), where
Definition 12
(PRF). Pseudo-Random Function (PRF) is a polynomially computable deterministic function \(\textsf{PRF}: \mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}\), with key space \(\mathcal {K}\), input space \(\mathcal {K}\) and output space \(\mathcal {Y}\). the advantage function of an adversary \(\mathcal {A}\) is defined by
where \(\mathcal {O}_{\textsf{PRF}}(x)\) returns \(\textsf{PRF}(k,x)\) and \(x^*\) is never queried to \(\mathcal {O}_{\textsf{PRF}}(\cdot )\). The pseudo-randomness of \(\textsf{PRF}\) requires \(\textsf{Adv}_{\textsf{PRF}}^{\textsf{ps}}(\mathcal {A}) = \textsf{negl}(\lambda )\) for all PPT \(\mathcal {A}\).
Definition 13
(One-Wayness of Hash). A hash family \(\mathcal {H}=\{\textsf{H}:\{0,1\}^n\rightarrow \{0,1\}^{\ell (n)}\}\) has One-Wayness if the advantage functions of an adversary \(\mathcal {A}\) defined by \(\textsf{Adv}_{\textsf{H}}^{\textsf{owf}}(\mathcal {A}):= \Pr \left[ \textsf{Exp}_{\textsf{H}}^{\textsf{owf}}\Rightarrow 1 \right] \) is negligible for all PPT \(\mathcal {A}\), where the experiments \(\textsf{Exp}_{\textsf{H}}^{\textsf{owf}}\) are defined in Fig. 7 (left).
Definition 14
(TCR of Hash). A hash family \(\mathcal {H}=\{\textsf{H}:\{0,1\}^n\rightarrow \{0,1\}^{\ell (n)}\}\) is Target Collision Resistant (TCR), if the advantage function of adversary \(\mathcal {A}\) defined by \(\textsf{Adv}_{\textsf{H}}^{\textsf{tcr}}(\mathcal {A}):= \Pr \left[ \textsf{Exp}_{\textsf{H}}^{\textsf{tcr}}\Rightarrow 1 \right] \) is negligible for all PPT \(\mathcal {A}\), where the experiments \(\textsf{Exp}_{\textsf{H}}^{\textsf{tcr}}\) are defined in Fig. 7 (right).
When \(n-\ell (n)\ge \lambda \), TCR property of \(\mathcal {H}\) implies one-wayness.
B The Final AKE in QROM
-
\(G: \mathcal {K}\times \mathcal {T}\rightarrow \mathcal {R}\), which is used to generate randomness in \(\textsf{PKE}\).
-
\(\textsf{H}: \mathcal {K}\rightarrow \varSigma \), which is used as a target collision resistant hash function. Here \(\mathcal {K}= \varSigma \times \varSigma \),
-
\(H_1: \mathcal {K}\times \mathcal {T}\rightarrow \mathcal {K}\), which is used to generate encapsulation key.
-
\(H_2: \mathcal {K}\times \{0,1\} \rightarrow \mathcal {K}\), which is used as a pseudo-random generator.
-
\(H: \{0,1\}^* \rightarrow \mathcal {K}\), which is used to generate session key.
C The Security Experiment \(\textsf{Exp}_{\textsf{AKE},\mu ,\ell ,\mathcal {A}}^{\textsf{IND}\text {-}\textsf{AA}\text {-}{b}}\)
The security experiment \(\textsf{Exp}_{\textsf{AKE},\mu ,\ell ,\mathcal {A}}^{\textsf{IND}\text {-}\textsf{AA}\text {-}{b}}\) is shown in Fig. 9.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lyu, Y., Liu, S. (2024). Two-Message Authenticated Key Exchange from Public-Key Encryption. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14344. Springer, Cham. https://doi.org/10.1007/978-3-031-50594-2_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-50594-2_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-50593-5
Online ISBN: 978-3-031-50594-2
eBook Packages: Computer ScienceComputer Science (R0)