PRF-ODH: Relations, Instantiations, and Impossibility Results

The pseudorandom-function oracle-Diffie–Hellman (PRF-ODH) assumption has been introduced recently to analyze a variety of DH-based key exchange protocols, including TLS 1.2 and the TLS 1.3 candidates, as well as the extended access control (EAC) protocol. Remarkably, the assumption comes in different flavors in these settings and none of them has been scrutinized comprehensively yet. In this paper here we therefore present a systematic study of the different PRF-ODH variants in the literature. In particular, we analyze their strengths relative to each other, carving out that the variants form a hierarchy. We further investigate the boundaries between instantiating the assumptions in the standard model and the random oracle model. While we show that even the strongest variant is achievable in the random oracle model under the strong Diffie–Hellman assumption, we provide a negative result showing that it is implausible to instantiate even the weaker variants in the standard model via algebraic black-box reductions to common cryptographic problems.

[1]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[2]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[3]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[4]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[5]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates , 2015, IACR Cryptol. ePrint Arch..

[6]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[7]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol , 2016, IACR Cryptol. ePrint Arch..

[8]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[9]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[10]  Robert H. Deng,et al.  Variations of Diffie-Hellman Problem , 2003, ICICS.

[11]  Hugo Krawczyk,et al.  HMAC-based Extract-and-Expand Key Derivation Function (HKDF) , 2010, RFC.

[12]  Alfredo Pironti,et al.  Proving the TLS Handshake Secure (as it is) , 2014, IACR Cryptol. ePrint Arch..

[13]  Dengguo Feng,et al.  Multiple Handshakes Security of TLS 1.3 Candidates , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[14]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[15]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[16]  Berkant Ustaoglu,et al.  Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS , 2008, Des. Codes Cryptogr..

[17]  Ueli Maurer,et al.  Diffie-Hellman Oracles , 1996, CRYPTO.

[18]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[19]  Mihir Bellare,et al.  Symmetric and Dual PRFs from Standard Assumptions: A Generic Validation of an HMAC Assumption , 2015, IACR Cryptol. ePrint Arch..

[20]  Raghav Bhaskar,et al.  Improved Bounds on Security Reductions for Discrete Log Based Signatures , 2008, CRYPTO.

[21]  Marc Fischlin,et al.  Zero Round-Trip Time for the Extended Access Control Protocol , 2017, ESORICS.

[22]  Eike Kiltz,et al.  A Tool Box of Cryptographic Functions Related to the Diffie-Hellman Function , 2001, INDOCRYPT.

[23]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[24]  Marc Fischlin,et al.  Multi-Stage Key Exchange and the Case of Google's QUIC Protocol , 2014, CCS.

[25]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[26]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[27]  Hugo Krawczyk,et al.  The OPTLS Protocol and TLS 1.3 , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[28]  Marc Fischlin,et al.  Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[29]  Steven D. Galbraith,et al.  Mathematics of Public Key Cryptography , 2012 .

[30]  Cristina Nita-Rotaru,et al.  How Secure and Quick is QUIC? Provable Security and Performance Analyses , 2015, 2015 IEEE Symposium on Security and Privacy.

[31]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[32]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[33]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[34]  Marc Fischlin,et al.  Security Analysis of the Extended Access Control Protocol for Machine Readable Travel Documents , 2010, ISC.