The power of undirected rewindings for adaptive security. (English) Zbl 1531.94066
Handschuh, Helena (ed.) et al., Advances in cryptology – CRYPTO 2023. 43rd annual international cryptology conference, CRYPTO 2023, Santa Barbara, CA, USA, August 20–24, 2023. Proceedings. Part II. Cham: Springer. Lect. Notes Comput. Sci. 14082, 725-758 (2023).
Summary: Existing proofs of adaptive security (e.g., in settings in which decryption keys are adaptively revealed) often rely on guessing arguments. Such guessing arguments can be simple (and, e.g., just involve guessing which keys are revealed), or more complex “partitioning” arguments. Since guessing directly and negatively impacts the loss of the corresponding security reduction, this leads to black-box lower bounds for a number of cryptographic scenarios that involve adaptive security.
In this work, we provide an alternative to such guessing arguments: instead of guessing in a security reduction which adaptive choices an adversary \(\mathcal{A}\) makes, we rewind \(\mathcal{A}\) many times until we can successfully embed a given computational challenge. The main benefit of using rewindings is that these rewindings can be arranged sequentially, and the corresponding reduction loss only accumulates additively (instead of multiplicatively, as with guessing). The main technical challenge is to show that \(\mathcal{A} \)’s success is not negatively affected after (potentially many) rewindings. To this end, we develop a machinery for “undirected ” rewindings that preserve \(\mathcal{A} \)’s success across (potentially many) rewindings.
We use this strategy to show
For the entire collection see [Zbl 1529.94005].
In this work, we provide an alternative to such guessing arguments: instead of guessing in a security reduction which adaptive choices an adversary \(\mathcal{A}\) makes, we rewind \(\mathcal{A}\) many times until we can successfully embed a given computational challenge. The main benefit of using rewindings is that these rewindings can be arranged sequentially, and the corresponding reduction loss only accumulates additively (instead of multiplicatively, as with guessing). The main technical challenge is to show that \(\mathcal{A} \)’s success is not negatively affected after (potentially many) rewindings. To this end, we develop a machinery for “undirected ” rewindings that preserve \(\mathcal{A} \)’s success across (potentially many) rewindings.
We use this strategy to show
- ●
- security of the “Logical Key Hierarchy” protocol underlying the popular TreeKEM key management protocol, and
- ●
- security of the Goldreich-Goldwasser-Micali (GGM) pseudorandom function (PRF) as a prefix-constrained PRF.
For the entire collection see [Zbl 1529.94005].
References:
| [1] | Bader, C.; Jager, T.; Li, Y.; Schäge, S.; Fischlin, M.; Coron, J-S, On the impossibility of tight cryptographic reductions, Advances in Cryptology - EUROCRYPT 2016, 273-304 (2016), Heidelberg: Springer, Heidelberg · Zbl 1369.94519 · doi:10.1007/978-3-662-49896-5_10 |
| [2] | Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th FOCS, pp. 394-403. IEEE Computer Society Press (Oct 1997). doi:10.1109/SFCS.1997.646128 |
| [3] | Bhargavan, K., Barnes, R., Rescorla, E.: TreeKEM: asynchronous decentralized key management for large dynamic groups a protocol proposal for messaging layer security (MLS). Research report, Inria Paris (May 2018). https://hal.inria.fr/hal-02425247 |
| [4] | Bienstock, A.; Dodis, Y.; Tang, Y.; Galbraith, SD, Multicast key agreement, revisited, Topics in Cryptology - CT-RSA 2022, 1-25 (2022), Cham: Springer, Cham · Zbl 1492.94182 · doi:10.1007/978-3-030-95312-6_1 |
| [5] | Boneh, D.; Waters, B.; Sako, K.; Sarkar, P., Constrained pseudorandom functions and their applications, Advances in Cryptology - ASIACRYPT 2013, 280-300 (2013), Heidelberg: Springer, Heidelberg · Zbl 1314.94057 · doi:10.1007/978-3-642-42045-0_15 |
| [6] | Boyle, E.; Goldwasser, S.; Ivan, I.; Krawczyk, H., Functional signatures and pseudorandom functions, Public-Key Cryptography - PKC 2014, 501-519 (2014), Heidelberg: Springer, Heidelberg · Zbl 1290.94145 · doi:10.1007/978-3-642-54631-0_29 |
| [7] | Brakerski, Z., Kalai, Y.T.: A framework for efficient signatures, ring signatures and identity based encryption in the standard model. Cryptology ePrint Archive, Report 2010/086 (2010). https://eprint.iacr.org/2010/086 |
| [8] | Canetti, R., Garay, J.A., Itkis, G., Micciancio, D., Naor, M., Pinkas, B.: Multicast security: a taxonomy and some efficient constructions. In: IEEE INFOCOM’99, pp. 708-716. New York, NY, USA (Mar 21-25, 1999) |
| [9] | Canetti, R., Kilian, J., Petrank, E., Rosen, A.: Black-box concurrent zero-knowledge requires omega (log n) rounds. In: 33rd ACM STOC, pp. 570-579. ACM Press (Jul 2001). doi:10.1145/380752.380852 · Zbl 1317.68064 |
| [10] | Coron, J-S; Knudsen, LR, Optimal security proofs for PSS and other signature schemes, Advances in Cryptology — EUROCRYPT 2002, 272-287 (2002), Heidelberg: Springer, Heidelberg · Zbl 1055.94025 · doi:10.1007/3-540-46035-7_18 |
| [11] | Davidson, A.; Katsumata, S.; Nishimaki, R.; Yamada, S.; Yamakawa, T.; Micciancio, D.; Ristenpart, T., Adaptively secure constrained pseudorandom functions in the standard model, Advances in Cryptology - CRYPTO 2020, 559-589 (2020), Cham: Springer, Cham · Zbl 1501.94038 · doi:10.1007/978-3-030-56784-2_19 |
| [12] | Fiat, A.; Shamir, A.; Odlyzko, AM, How to prove yourself: practical solutions to identification and signature problems, Advances in Cryptology — CRYPTO’ 86, 186-194 (1987), Heidelberg: Springer, Heidelberg · Zbl 0636.94012 · doi:10.1007/3-540-47721-7_12 |
| [13] | Fischlin, M.; Fleischhacker, N.; Johansson, T.; Nguyen, PQ, Limitations of the meta-reduction technique: the case of schnorr signatures, Advances in Cryptology - EUROCRYPT 2013, 444-460 (2013), Heidelberg: Springer, Heidelberg · Zbl 1306.94103 · doi:10.1007/978-3-642-38348-9_27 |
| [14] | Fuchsbauer, G.; Konstantinov, M.; Pietrzak, K.; Rao, V.; Sarkar, P.; Iwata, T., Adaptive security of constrained PRFs, Advances in Cryptology - ASIACRYPT 2014, 82-101 (2014), Heidelberg: Springer, Heidelberg · Zbl 1317.94107 · doi:10.1007/978-3-662-45608-8_5 |
| [15] | Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: 25th FOCS, pp. 464-479. IEEE Computer Society Press (Oct 1984). doi:10.1109/SFCS.1984.715949 |
| [16] | Goldreich, O.; Goldwasser, S.; Micali, S.; Blakley, GR; Chaum, D., On the cryptographic applications of random functions, CRYPTO’84, 276-288 (1984), Heidelberg: Springer, Heidelberg · Zbl 1359.94599 · doi:10.1007/3-540-39568-7_22 |
| [17] | Goldreich, O.; Micali, S.; Wigderson, A.; Odlyzko, AM, How to prove all NP Statements in zero-knowledge and a methodology of cryptographic protocol design (extended abstract), Advances in Cryptology — CRYPTO’ 86, 171-185 (1987), Heidelberg: Springer, Heidelberg · Zbl 0636.94010 · doi:10.1007/3-540-47721-7_11 |
| [18] | Goldwasser, S.; Micali, S.; Rivest, RL, A digital signature scheme secure against adaptive chosen-message attacks, SIAM J. Comput., 17, 2, 281-308 (1988) · Zbl 0644.94012 · doi:10.1137/0217017 |
| [19] | Hofheinz, D.; Jager, T.; Knapp, E.; Fischlin, M.; Buchmann, J.; Manulis, M., Waters signatures with optimal security reduction, Public Key Cryptography - PKC 2012, 66-83 (2012), Heidelberg: Springer, Heidelberg · Zbl 1290.94088 · doi:10.1007/978-3-642-30057-8_5 |
| [20] | Hofheinz, D.; Kiltz, E.; Wagner, D., Programmable hash functions and their applications, Advances in Cryptology - CRYPTO 2008, 21-38 (2008), Heidelberg: Springer, Heidelberg · Zbl 1183.94052 · doi:10.1007/978-3-540-85174-5_2 |
| [21] | Hohenberger, S.; Waters, B.; Halevi, S., Short and stateless signatures from the RSA assumption, Advances in Cryptology - CRYPTO 2009, 654-670 (2009), Heidelberg: Springer, Heidelberg · Zbl 1252.94074 · doi:10.1007/978-3-642-03356-8_38 |
| [22] | Jafargholi, Z.; Kamath, C.; Klein, K.; Komargodski, I.; Pietrzak, K.; Wichs, D.; Katz, J.; Shacham, H., Be adaptive, avoid overcommitting, Advances in Cryptology - CRYPTO 2017, 133-163 (2017), Cham: Springer, Cham · Zbl 1407.94123 · doi:10.1007/978-3-319-63688-7_5 |
| [23] | Kamath, C.; Klein, K.; Pietrzak, K.; Walter, M.; Nissim, K.; Waters, B., The cost of adaptivity in security games on graphs, Theory of Cryptography, 550-581 (2021), Cham: Springer, Cham · Zbl 1511.94115 · doi:10.1007/978-3-030-90453-1_19 |
| [24] | Kastner, J.; Loss, J.; Xu, J.; Agrawal, S.; Lin, D., The abe-okamoto partially blind signature scheme revisited, Advances in Cryptology - ASIACRYPT 2022, 279-309 (2022), Cham: Springer Nature Switzerland, Cham · Zbl 1519.94224 · doi:10.1007/978-3-031-22972-5_10 |
| [25] | Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 669-684. ACM Press (Nov 2013). doi:10.1145/2508859.2516668 |
| [26] | Klein, K., et al.: Keep the dirt: tainted TreeKEM, adaptively and actively secure continuous group key agreement. In: 2021 IEEE Symposium on Security and Privacy, pp. 268-284. IEEE Computer Society Press (May 2021). doi:10.1109/SP40001.2021.00035 |
| [27] | Kuchta, V.; Sakzad, A.; Stehlé, D.; Steinfeld, R.; Sun, S-F; Canteaut, A.; Ishai, Y., Measure-rewind-measure: tighter quantum random oracle model proofs for one-way to hiding and CCA security, Advances in Cryptology - EUROCRYPT 2020, 703-728 (2020), Cham: Springer, Cham · Zbl 1479.94202 · doi:10.1007/978-3-030-45727-3_24 |
| [28] | Lewko, A.; Waters, B.; Nguyen, PQ; Oswald, E., Why proving HIBE systems secure is difficult, Advances in Cryptology - EUROCRYPT 2014, 58-76 (2014), Heidelberg: Springer, Heidelberg · Zbl 1326.94109 · doi:10.1007/978-3-642-55220-5_4 |
| [29] | Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: 21st ACM STOC, pp. 33-43. ACM Press (May 1989). doi:10.1145/73007.73011 |
| [30] | Panjwani, S.; Vadhan, SP, Tackling adaptive corruptions in multicast encryption protocols, Theory of Cryptography, 21-40 (2007), Heidelberg: Springer, Heidelberg · Zbl 1129.94033 · doi:10.1007/978-3-540-70936-7_2 |
| [31] | Pointcheval, D.; Stern, J.; Maurer, U., Security proofs for signature schemes, Advances in Cryptology — EUROCRYPT ’96, 387-398 (1996), Heidelberg: Springer, Heidelberg · Zbl 1304.94106 · doi:10.1007/3-540-68339-9_33 |
| [32] | Richardson, R.; Kilian, J.; Stern, J., On the concurrent composition of zero-knowledge proofs, Advances in Cryptology — EUROCRYPT ’99, 415-431 (1999), Heidelberg: Springer, Heidelberg · Zbl 0932.68046 · doi:10.1007/3-540-48910-X_29 |
| [33] | Wallner, D.M., Harder, E.J., Agee, R.C.: Key management for multicast: issues and architectures. Internet Draft (Sep 1998). http://www.ietf.org/ID.html |
| [34] | Waters, B.; Cramer, R., Efficient identity-based encryption without random oracles, Advances in Cryptology - EUROCRYPT 2005, 114-127 (2005), Heidelberg: Springer, Heidelberg · Zbl 1137.94360 · doi:10.1007/11426639_7 |
| [35] | Wong, CK; Gouda, MG; Lam, SS, Secure group communications using key graphs, IEEE/ACM Trans. Netw., 8, 1, 16-30 (2000) · doi:10.1109/90.836475 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
