Tightly-Secure Authenticated Key Exchange
Lecture Notes in Computer Science
We construct the first Authenticated Key Exchange (AKE) protocol whose security does not degrade with an increasing number of users or sessions. We describe a three-message protocol and prove security in an enhanced version of the classical Bellare-Rogaway security model. Our construction is modular, and can be instantiated efficiently from standard assumptions (such as the SXDH or DLIN assumptions in pairing-friendly groups). For instance, we provide an SXDH-based protocol whose communication
... omplexity is only 14 group elements and 4 exponents (plus some bookkeeping information). Along the way we develop new, stronger security definitions for digital signatures and key encapsulation mechanisms. For instance, we introduce a security model for digital signatures that provides existential unforgeability under chosen-message attacks in a multi-user setting with adaptive corruptions of secret keys. We show how to construct efficient schemes that satisfy the new definitions with tight security proofs under standard assumptions. $ ← E 0 and all proofs are generated with respect to CRS sim . Since the contrary would allow B NIPS to break the (t, CRS )-security of NIPS we have Game 3. This game is similar to Game 2 except for the following. We abort the game (and A loses) if the forgery (i * , m * , σ * ) returned by A satisfies SIG.Vfy MU vk (i * ) , m * , σ * = 1, but the extractor E 1 is not able to extract a witness (s 0 , s 1 ) from σ * . Due to the perfect knowledge extraction property of NIPS on a simulated CRS we have: By the substitution formulas for Y i,b and b i and be the definition of h and t * , equations (4) and (8) and equations (6) and (9) are equivalent. Hence, Game 4. In this game, the answer σ = ([r] 2 , [u] 2 , [v] 2 ) to a signing query (m, i) is computed differently. Concretely, the values r and v are computed as before, but the value u is chosen as u $ ← Z q .