Merkle Puzzles Are Optimal Boaz Barak Mohammad Mahmoody-Ghidary TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAAAAAAAAAA
Some faces of modern cryptography Merkle KA n2 sec, ideal OWF RSA TDP exp(n) sec, factoring* Naor-Yung SIG exp(n) sec, OWF* 1974 1976 1977 1978 1989 Diffie-Hellman KA exp(n), ~dlog* Rabin TDP ~exp(n), factoring Stone Age Fundamental Question: Is there OWF based KA with super poly security? Impagliazzo-Rudich 89: No KA based on random oracle can be proven more than n6 secure in black-box way. Why is it important?
Some faces of modern cryptography Merkle KA n2 sec, ideal OWF RSA TDP exp(n) sec, factoring* Naor-Yung SIG exp(n) sec, OWF* 1974 1976 1977 1978 1989 Diffie-Hellman KA exp(n), ~dlog* Rabin TDP ~exp(n), factoring Stone Age Fundamental Question: Is there OWF based KA with super poly security? Impagliazzo-Rudich 89: No KA based on random oracle can be proven more than n6 secure in black-box way. Our Result: Improve IR89’s bound to n2 Theoretical motivation: power of interaction Practical motivation: rule out protocol w/ 109 operations 1054 security [Biham-Ishai-Goren08]
Talk Plan Formal defs and model. Overview of Merkle’s Protocol Description of our attacking algorithm Analysis of attack.
Formal Defs H Def: Key exchange protocol Alice Bob sA sB Correctness: Security: For every eavesdropping adv outputting sE Random oracle model: All parties have black-box access to a random function H:{0,1}n{0,1}n (same model, different motivation than [Bellare-Rogaway 93]) This talk: Complexity = # queries to H
Our Result H Main Thm: 8 n-query protocol, 9 O((n/²)2)-query Eve s.t. Alice sA sB H Bob Our Result Main Thm: 8 n-query protocol, 9 O((n/²)2)-query Eve s.t. Pr[ sE = sA ] > Pr[ sA= sB ] - ² Def: q2{0,1}n is intersection query (IQ) for some execution of a protocol, if both Alice and Bob make the query q to H(). Main Thm follows from: Main Lemma:8 n-query protocol, 9 O((n/²)2)-query Eve Pr[Eve makes all IQ’s] > 1 - ² Intuition: w.l.o.g, last queries of Alice and Bob are sA, sB.
Main Lemma:8 n-query protocol, 9 O((n/²)2)-query Eve Pr[Eve makes all IQ’s] > 1 – O(²) Alice sA sB H Bob Attack Algorithm: Can show: E[# Eve’s queries ] · O(n2/²) Need: 8 i, Pr[ Eve misses qi | not missing qj j<i ] · ²/n Intuition: If Eve didn’t miss any IQ so far, it has as much chance at hitting Alice’s next query as Bob does.
Lemma: 8 i, Pr[ Eve misses qi | not missing qj j<i ] · 10²/n Proof attempt: Suppose not, Alice’s ith query q=qi is the first one missed. Eve knows all messages and all shared queries of Alice and Bob. Oracle gives random answers in all non-shared locations. (*) Alice’s and Bob’s views are independent conditioned on Eve’s knowledge Bob’s view Fix Alice’s view A= (rA,hA) that still makes Pr[miss] > 10²/n (*) is false. Cause of [IR89]’s technical complexity: handled by making more queries, show non-independence Eve “makes progress” per query. We show directly that views are close to being independent. (small mutual information) Alice’s view ¹ ( ) ¸ 10²/n But then>²/n overall prob that q asked by Bob- contradiction! Bad set
Lemma: 8 i, Pr[ Eve misses qi | not missing qj j<i ] · ²/n Proof attempt: Suppose not, Alice’s ith query q=qi is the first one missed. Eve knows all messages and all shared queries of Alice and Bob. Oracle gives random answers in all non-shared locations. (*) Alice’s and Bob’s views are independent conditioned on Eve’s knowledge Bob’s view Fix Alice’s view A=(rA,hA) that still makes Pr[miss] > 10²/n Alice’s view We show: 8 A,B ¹( ) >5²/n Implies Bad set
Views are “almost” independent Depends only on |rA|,|QA| Depends only on |rB|,|QB| Thus theorem follows from: Cor: Probabilities in product and non-product are same up to mult factor of 0.99
N M ®M
Main Lemma:8 n-query protocol, 9 O((n/²)2)-query Eve Pr[Eve learns all IQ’s] > 1 – O(²) Alice sA sB H Bob Attack Algorithm: Proved: 8 i, Pr[ Eve misses qi | not missing qj j<i ] · 10²/n Cor: Pr[ Eve misses some IQ ] · 10² Left to do: E[# Eve’s queries ] · O(n2/²)
Efficiency of attack Attack Algorithm: Left to do: E[# Eve’s queries ] · O(n2/²) Lemma: E[# Eve’s queries ] · O(n2/²)
Open Questions O(n2) bound for random permutations (we improve [IR89]’s O~(n12) bound to O(n4)) can also consider ideal cipher, other “symmetric” primitives. Rule out a construction with non-trivial (i.e., !(n) ) security w.r.t. quantum adversaries?? Find non-black-box constructions of key exchange from one-way functions, or other “unstructured” assumptions.