Non-Interactive Key Exchange (NIKE) is a cryptographic primitive that allows two users to compute a shared key without any interaction. The Diffie-Hellman key exchange scheme is probably the most well-known example of a NIKE scheme. Freire et al. (PKC 2013) defined four security notions for NIKE schemes, and showed implications among them. In these notions, we consider an adversary that is challenged to distinguish a shared key of a new pair of users from a random value, using only its knowledge of keys shared between other pairs of users. To take into account side-channel attacks such as tampering and fault-injection attacks, Bellare and Kohno (Eurocrypt 2003) formalized related-key attacks (RKA), where stronger adversaries are considered. In this paper, we introduce four RKA security notions for NIKE schemes. In these notions, we consider an adversary that can also manipulate the secret keys of users and obtain shared keys computed under the modified secret keys. We also show implications and separations among the security notions, and prove that one of the NIKE schemes proposed by Freire et al. is secure in the strongest RKA sense in the random oracle model under the Double Strong Diffie-Hellman (DSDH) assumption over the group of signed quadratic residues, which is implied by the factoring assumption.
Hiraku MORITA
National Institute of Advanced Industrial Science and Technology (AIST)
Jacob C.N. SCHULDT
National Institute of Advanced Industrial Science and Technology (AIST)
Takahiro MATSUDA
National Institute of Advanced Industrial Science and Technology (AIST)
Goichiro HANAOKA
National Institute of Advanced Industrial Science and Technology (AIST)
Tetsu IWATA
Nagoya University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Hiraku MORITA, Jacob C.N. SCHULDT, Takahiro MATSUDA, Goichiro HANAOKA, Tetsu IWATA, "On the Security of Non-Interactive Key Exchange against Related-Key Attacks" in IEICE TRANSACTIONS on Fundamentals,
vol. E100-A, no. 9, pp. 1910-1923, September 2017, doi: 10.1587/transfun.E100.A.1910.
Abstract: Non-Interactive Key Exchange (NIKE) is a cryptographic primitive that allows two users to compute a shared key without any interaction. The Diffie-Hellman key exchange scheme is probably the most well-known example of a NIKE scheme. Freire et al. (PKC 2013) defined four security notions for NIKE schemes, and showed implications among them. In these notions, we consider an adversary that is challenged to distinguish a shared key of a new pair of users from a random value, using only its knowledge of keys shared between other pairs of users. To take into account side-channel attacks such as tampering and fault-injection attacks, Bellare and Kohno (Eurocrypt 2003) formalized related-key attacks (RKA), where stronger adversaries are considered. In this paper, we introduce four RKA security notions for NIKE schemes. In these notions, we consider an adversary that can also manipulate the secret keys of users and obtain shared keys computed under the modified secret keys. We also show implications and separations among the security notions, and prove that one of the NIKE schemes proposed by Freire et al. is secure in the strongest RKA sense in the random oracle model under the Double Strong Diffie-Hellman (DSDH) assumption over the group of signed quadratic residues, which is implied by the factoring assumption.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E100.A.1910/_p
Copy
@ARTICLE{e100-a_9_1910,
author={Hiraku MORITA, Jacob C.N. SCHULDT, Takahiro MATSUDA, Goichiro HANAOKA, Tetsu IWATA, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={On the Security of Non-Interactive Key Exchange against Related-Key Attacks},
year={2017},
volume={E100-A},
number={9},
pages={1910-1923},
abstract={Non-Interactive Key Exchange (NIKE) is a cryptographic primitive that allows two users to compute a shared key without any interaction. The Diffie-Hellman key exchange scheme is probably the most well-known example of a NIKE scheme. Freire et al. (PKC 2013) defined four security notions for NIKE schemes, and showed implications among them. In these notions, we consider an adversary that is challenged to distinguish a shared key of a new pair of users from a random value, using only its knowledge of keys shared between other pairs of users. To take into account side-channel attacks such as tampering and fault-injection attacks, Bellare and Kohno (Eurocrypt 2003) formalized related-key attacks (RKA), where stronger adversaries are considered. In this paper, we introduce four RKA security notions for NIKE schemes. In these notions, we consider an adversary that can also manipulate the secret keys of users and obtain shared keys computed under the modified secret keys. We also show implications and separations among the security notions, and prove that one of the NIKE schemes proposed by Freire et al. is secure in the strongest RKA sense in the random oracle model under the Double Strong Diffie-Hellman (DSDH) assumption over the group of signed quadratic residues, which is implied by the factoring assumption.},
keywords={},
doi={10.1587/transfun.E100.A.1910},
ISSN={1745-1337},
month={September},}
Copy
TY - JOUR
TI - On the Security of Non-Interactive Key Exchange against Related-Key Attacks
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 1910
EP - 1923
AU - Hiraku MORITA
AU - Jacob C.N. SCHULDT
AU - Takahiro MATSUDA
AU - Goichiro HANAOKA
AU - Tetsu IWATA
PY - 2017
DO - 10.1587/transfun.E100.A.1910
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E100-A
IS - 9
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - September 2017
AB - Non-Interactive Key Exchange (NIKE) is a cryptographic primitive that allows two users to compute a shared key without any interaction. The Diffie-Hellman key exchange scheme is probably the most well-known example of a NIKE scheme. Freire et al. (PKC 2013) defined four security notions for NIKE schemes, and showed implications among them. In these notions, we consider an adversary that is challenged to distinguish a shared key of a new pair of users from a random value, using only its knowledge of keys shared between other pairs of users. To take into account side-channel attacks such as tampering and fault-injection attacks, Bellare and Kohno (Eurocrypt 2003) formalized related-key attacks (RKA), where stronger adversaries are considered. In this paper, we introduce four RKA security notions for NIKE schemes. In these notions, we consider an adversary that can also manipulate the secret keys of users and obtain shared keys computed under the modified secret keys. We also show implications and separations among the security notions, and prove that one of the NIKE schemes proposed by Freire et al. is secure in the strongest RKA sense in the random oracle model under the Double Strong Diffie-Hellman (DSDH) assumption over the group of signed quadratic residues, which is implied by the factoring assumption.
ER -