Signed Diffie-Hellman Key Exchange with Tight Security

We propose the first tight security proof for the ordinary two-message signed Diffie-Hellman key exchange protocol in the random oracle model. Our proof is based on the strong computational Diffie-Hellman assumption and the multi-user security of a digital signature scheme. With our security proof, the signed DH protocol can be deployed with optimal parameters, independent of the number of users or sessions, without the need to compensate any security loss. We abstract our approach with a new notion called verifiable key exchange. In contrast to a known tight three-message variant of the signed Diffie-Hellman protocol (Gjøsteen and Jager, CRYPTO 2018), we do not require any modification to the original protocol, and our tightness result is proven in the “Single-BitGuess” model which we know can be tightly composed with symmetric cryptographic primitives to establish a secure channel.

[1]  Steven D. Galbraith,et al.  Public key signatures in the multi-user setting , 2002, Inf. Process. Lett..

[2]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[3]  Tibor Jager,et al.  Tightly-Secure Authenticated Key Exchange , 2015, IACR Cryptol. ePrint Arch..

[4]  Tibor Jager,et al.  On Tight Security Proofs for Schnorr Signatures , 2014, ASIACRYPT.

[5]  Marc Fischlin,et al.  Key Confirmation in Key Exchange: A Formal Treatment and Implications for TLS 1.3 , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[6]  Tibor Jager,et al.  On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World Deployments , 2021, Journal of Cryptology.

[7]  Tibor Jager,et al.  Tightly-Secure Authenticated Key Exchange, Revisited , 2020, IACR Cryptol. ePrint Arch..

[8]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[9]  Tibor Jager,et al.  Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange , 2018, IACR Cryptol. ePrint Arch..

[10]  Felix Günther,et al.  Tighter Proofs for the SIGMA and TLS 1.3 Key Exchange Protocols , 2020, IACR Cryptol. ePrint Arch..

[11]  David Cash,et al.  The Twin Diffie-Hellman Problem and Applications , 2008, EUROCRYPT.

[12]  David Cash,et al.  The Twin Diffie–Hellman Problem and Applications , 2009, Journal of Cryptology.

[13]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[14]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[15]  Eike Kiltz,et al.  Optimal Security Proofs for Signatures from Identification Schemes , 2016, CRYPTO.

[16]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[17]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[18]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[19]  Ueli Maurer,et al.  Abstract Models of Computation in Cryptography , 2005, IMACC.

[20]  Eike Kiltz,et al.  The Group of Signed Quadratic Residues and Applications , 2009, CRYPTO.

[21]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[22]  Jiaxin Pan,et al.  Signatures with Tight Multi-user Security from Search Assumptions , 2020, ESORICS.

[23]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[24]  Yuting Xiao,et al.  Tightly Secure Two-Pass Authenticated Key Exchange Protocol in the CK Model , 2020, CT-RSA.

[25]  Dawu Gu,et al.  Two-Pass Authenticated Key Exchange with Explicit Authentication and Tight Security , 2020, IACR Cryptol. ePrint Arch..

[26]  Tibor Jager,et al.  Highly Efficient Key Exchange Protocols with Optimal Tightness - Enabling real-world deployments with theoretically sound parameters , 2019, IACR Cryptol. ePrint Arch..

[27]  Tibor Jager,et al.  More Efficient Digital Signatures with Tight Multi-User Security , 2021, IACR Cryptol. ePrint Arch..

[28]  Tibor Jager,et al.  One-Round Key Exchange with Strong Security: An Efficient and Generic Construction in the Standard Model , 2015, Public Key Cryptography.

[29]  Yong Li,et al.  No-Match Attacks and Robust Partnering Definitions: Defining Trivial Attacks for Security Protocols is Not Trivial , 2017, CCS.

[30]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[31]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[32]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[33]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[34]  Mihir Bellare,et al.  The Multi-Base Discrete Logarithm Problem: Tight Reductions and Non-rewinding Proofs for Schnorr Identification and Signatures , 2020, INDOCRYPT.

[35]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[36]  Tibor Jager,et al.  Authenticated Confidential Channel Establishment and the Security of TLS-DHE , 2017, Journal of Cryptology.

[37]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[38]  Tanja Lange,et al.  High-Speed High-Security Signatures , 2011, CHES.