We construct the first Authenticated Key Exchange (AKE) protocol whose security does not degrade with an increasing number of users or sessions. We describe a three-message protocol and prove security in an enhanced version of the classical Bellare-Rogaway security model. Our construction is modular, and can be instantiated efficiently from standard assumptions (such as the SXDH or DLIN assumptions in pairing-friendly groups). For instance, we provide an SXDH-based protocol whose communication

more »

... omplexity is only 14 group elements and 4 exponents (plus some bookkeeping information). Along the way we develop new, stronger security definitions for digital signatures and key encapsulation mechanisms. For instance, we introduce a security model for digital signatures that provides existential unforgeability under chosen-message attacks in a multi-user setting with adaptive corruptions of secret keys. We show how to construct efficient schemes that satisfy the new definitions with tight security proofs under standard assumptions. $ ← E 0 and all proofs are generated with respect to CRS sim . Since the contrary would allow B NIPS to break the (t, CRS )-security of NIPS we have Game 3. This game is similar to Game 2 except for the following. We abort the game (and A loses) if the forgery (i * , m * , σ * ) returned by A satisfies SIG.Vfy MU vk (i * ) , m * , σ * = 1, but the extractor E 1 is not able to extract a witness (s 0 , s 1 ) from σ * . Due to the perfect knowledge extraction property of NIPS on a simulated CRS we have: By the substitution formulas for Y i,b and b i and be the definition of h and t * , equations (4) and (8) and equations (6) and (9) are equivalent. Hence, Game 4. In this game, the answer σ = ([r] 2 , [u] 2 , [v] 2 ) to a signing query (m, i) is computed differently. Concretely, the values r and v are computed as before, but the value u is chosen as u $ ← Z q .