1. Cryptographic protocols 2015, Lecture 3 Key Exchange, CDH, DDH
Helger Lipmaa
University of Tartu, Estonia

2. up to now Basic intro Basic algebra Exponentiation Assumptions
Algebra + assumptions: DL
How to define assumptions (DL)

3. What can be done with DL? First idea:
let s←ℤq be secret key and h=gˢ be public key
computation of s from h is infeasible
Use the keys to "encrypt", "sign", etc
This lecture: more details

4. Key Exchange
I want to send secret information to Bob, but he is in Jamaica
Let us agree on a joint secret key for further communication

5. Key Exchange pkₐ pkb sk=SK(skₐ,pkb) sk=SK(skb,pkₐ) = sk skb,pkb
Asymmetric, public key
Asymmetric, public key
skₐ,pkₐ
skb,pkb
pkₐ
pkb
sk=SK(skₐ,pkb)
sk=SK(skb,pkₐ) = sk
Symmetric, shared key

6. Key Exchange with dl
s, h←gˢ
t, f←gᵗ h f
sk=SK(s,f)
sk=SK(t,h) = sk

7. QUIZ SK (t, gˢ) = sk = SK (s, gᵗ) What could SK be?
Hint: we are working in a group
Use commutativity + efficient operations
Answer: SK (s, h) = hˢ
SK (t, gˢ) = gˢᵗ = gᵗˢ = SK (s, gᵗ)

8. Diffie-Hellman Key Exchange
s, h←gˢ
t, f←gᵗ h f
sk=gˢᵗ = sk

9. DHKE: Formally DHKE.Setup (κ): h DHKE.Keygen (gk): f sk=gˢᵗ
Choose a group G of order q where breaking DL has complexity 2^κ
Choose a generator g of G
Return gk ← desc (G) = (..., q, g)
s,h=gˢ
t,f←gᵗ h
DHKE.Keygen (gk):
sk = s ← ℤq
pk ← gˢ
Return (sk, pk) f
sk=gˢᵗ
DHKE.SK (gk, s, h):
Return hˢ = sk

10. QUIZ: is dhke secure? Correct question:
is DHKE what-secure under X assumption
Three tasks:
Formalize security of KE
Decide on X
Provide a proof by reduction (X holds => DHKE what-secure)

11. Security def: First try
We already saw some issues in the last lecture
...so we won't concentrate on the same issues
Random key, probabilistic algorithms, ...

12. DHKE: intuitive security
s, h←gˢ
t, f←gᵗ h f
sk=gˢᵗ = sk ?

13. key recovery security Game KR(κ,KE,A)
gk ← Setup(κ)
(skₐ,pkₐ)←Keygen (gk)
(skb,pkb)←Keygen (gk)
sk* ← A (gk, pkₐ, pkb)
If sk* = SK (gk, skₐ, pkb)
return 1
else
return 0
Three algorithms KE = (Setup, Keygen, SK)
Adv[KR] := | Pr[KR = 1] - 1 / q |
A ε-breaks KR (key recovery) security of KE iff Adv[KR] ≥ ε
KE is (τ,ε)-KR secure iff no adversary ε- breaks KR security of KE in time ≤ τ
KE is KR secure iff it is (poly(κ),negl(κ))- KR secure

14. SEcurity reduction? We would like to prove that DHKE is KR secure
by reducing KR-security to DL assumption
Unfortunately not known how to do it DL s gˢ SK
gˢᵗ ? SK gᵗ t DL

15. New assumption: CDH
DHKE was proposed together with the idea of public-key cryptography by Diffie and Hellman in 1976
No success in breaking it in any reasonable group where DL is hard
Seems logical: introduce a tautological assumption
CDH: Computational Diffie-Hellman
"key recovery attack against DHKE is hard"

16. Def: CDH assumption Game CDH(G,A) gk ← Setup(κ) (skₐ,pkₐ)←Keygen (gk)
(skb,pkb)←Keygen (gk)
sk* ← A (gk, pkₐ, pkb)
If sk* = SK (gk, skₐ, pkb)
return 1
else
return 0
Use (DHKE.Setup, DHKE.Keygen, DHKE.SK)
Assume (for simplicity) that for any κ, Setup picks exactly one group G = G(κ)
Adv[CDH] := | Pr[CDH = 1] - 1 / q |
A ε-breaks CDH in group G iff Adv[CDH] ≥ ε
G is (τ,ε)-CDH group iff no adversary ε-breaks CDH in G in time ≤ τ
G is CDH group iff it is (poly(κ),negl(κ))-CDH group

17. remarks
Clearly, CDH is secure in A group iff DHKE is KR secure in the same group
τ = τ (κ) and ε = ε (κ) are functions of κ

18. QUIZ: CDH vs DL ?
CDH DL ?

19. some contrived groups where DL holds but not CDH, ...
QUIZ: CDH vs DL
Answer: yes ?
CDH hard
DL hard ?
some contrived groups where DL holds but not CDH, ...
Answer: depends

20. Proof: CDH => DL Typical reduction
Theorem. If G is a (τ + small, ( / q) ε + (1 - 1 / q) / q)-CDH group, then it is also a (τ, ε)-DL group.
Proof idea. Reduction to absurd: we show that if DL is easy in G, then CDH must also be easy in G.
DL is easy => there exists an adversary D that breaks DL
We show CDH is easy by constructing an adversary C that breaks CDH
C can use help from adversary D, by sending inputs to D and receiving outputs
Typical reduction

21. Intuitive proof Assume D can break DL
given gˢ, outputs s with probability ε
Construct adversary C that breaks CDH
given gˢ, gᵗ, call D to compute s ← D (gˢ)
return (gᵗ)ˢ = gˢᵗ
But what is the success probability of C?

22. Security games CDH game: need to construct C DL game: D is given
A challenger generates values from some fixed "valid" distributions and sends them to the adversary C
A challenger generates values from some fixed "valid" distributions and sends them to the adversary D
After some computation, C returns some value to the challenger
After some computation, D returns some value to the challenger
Depending on the input and the output, the challenger declares C to be either successful or not
Depending on the input and the output, the challenger declares D to be either successful or not
This is the only thing we know...

23. CDH game: need to construct C
Security reduction
CDH game: need to construct C
DL game: D is given
A challenger generates values from some fixed "valid" distributions and sends them to the adversary C
A challenger generates values from some fixed "valid" distributions and sends them to the adversary D C
After some computation, C returns some value to the challenger
After some computation, D returns some value to the challenger
Depending on the input and the output, the challenger declares C to be either successful or not C

24. Reduction: CDH => DL
Exists
Need to construct
Exists
Challenger C D
s, t ← ℤq; h ← gˢ; f ← gᵗ
(desc(G), h, f)
Correct distribution for CDH
(desc(G), h)
remove 1 elem.
Correct distribution for DL
... ;/* compute m */
if h = gᵐ
return sk* ← fᵐ
else
return sk* ← ℤq
if sk* = gˢᵗ
return 1
else
return 0 m
sk*

25. Reduction: CDH => DL
Assume D works in time τ and is successful with prob. ε + 1 / q
Reduction: CDH => DL
If D is successful then C is successful and takes time τ* =τ + small
Challenger C D
s, t ← ℤq; h ← gˢ; f ← gᵗ
If D is unsuccessful then C is successful with prob. 1 / q, and takes time τ*
(desc(G), h, f)
(desc(G),h)
remove 1 elem.
... ;/* compute m */
if h = gᵐ
return sk* ← fᵐ
else
return sk* ← ℤq
if sk* = gˢᵗ
return 1
else
return 0 m
sk*

26. reminder: probability
Let A, B be two events
Pr [A] - probability that A holds
Pr [¬ A] - probability that A does not hold
Pr [A | B] - conditional probability
probability that A holds given that B holds
Then Pr [A] = Pr [A | B] · Pr [B] + Pr [A | ¬B] · Pr [¬B]

27. Reduction: CDH => DL
Assume D works in time τ and is successful with prob. ε + 1 / q
Reduction: CDH => DL
If D is successful then C is successful and takes time τ* =τ + small
Challenger C D
s, t ← ℤq; h ← gˢ; f ← gᵗ
If D is unsuccessful then C is successful with prob. 1 / q, and takes time τ*
(desc(G), h, f)
(desc(G),h)
remove 1 elem.
... ;/* compute m */
if h = gᵐ
return sk* ← fᵐ
else
return sk* ← ℤq
Pr[C successful] =
Pr[C successful | D successful] · Pr[D successful] +
Pr[C successful | ¬D successful] · Pr [¬D successful] =
1 · (ε + 1 / q) + 1 / q · (1 - (ε + 1 / q)) =
( / q) ε + (1 - 1 / q) / q + 1 / q =:
ε* + 1 / q
if sk* = gˢᵗ
return 1
else
return 0 m
sk*

28. Reduction: CDH => DL
Assume D works in time τ and is successful with prob. ε + 1 / q
Reduction: CDH => DL
If D is successful then C is successful and takes time τ* =τ + small
Challenger C D
s, t ← ℤq; h ← gˢ; f ← gᵗ
If D is unsuccessful then C is successful with prob. 1 / q, and takes time τ*
(desc(G), h, f)
(desc(G),h)
remove 1 elem.
... ;/* compute m */
if h = gᵐ
return sk* ← fᵐ
else
return sk* ← ℤq
Pr[C successful] = ε* + 1 / q
if sk* = gˢᵗ
return 1
else
return 0 m
Thus, if G is a (τ*, ε*)-CDH group then it is a (τ, ε)-DL group
sk*

29. quiz: are we done? If not, why not?
Is the achieved security sufficient?
Answer:
The fact that sk is unknown is not sufficient
Adversary should have no information about sk

30. c + any information about sk leaks information about m
DHKE in wild world h f
s,h←gˢ
t,f←gᵗ
sk=gˢᵗ = sk
XOR m c
c + any information about sk leaks information about m
One-time pad

31. DHKE: IND security is it sk or garbage? h f sk* sk=gˢᵗ sk=gˢᵗ = sk
Intuition: if Eve has any information about sk, she should be able to distinguish real sk from random
s,h←gˢ
t,f←gᵗ h f
sk=gˢᵗ
sk*
sk=gˢᵗ = sk
is it sk or garbage?

32. IND(ISTINGUISHABILITY) security
Game IND(κ,KE,A)
gk ← Setup(κ)
(skₐ,pkₐ)←Keygen (gk)
(skb,pkb)←Keygen (gk)
sk₀ ← SK (gk, skₐ, pkb)
sk₁ ← G
e ← {0, 1}
e* ← A (gk,pkₐ,pkb,skₑ)
Return e = e* ? 1 : 0
KE = (Setup, Keygen, SK)
Adv[IND] := | Pr[IND = 1] - 1 / 2 |
A ε-breaks IND security of KE iff Adv[IND] ≥ ε
KE is (τ,ε)-IND secure iff no adversary ε- breaks IND security of KE in time ≤ τ
KE is IND secure iff it is (poly(κ),negl(κ))- IND secure

33. SEcurity reduction? We would like to prove that DHKE is IND secure
by reducing IND security to CDH assumption
Not possible
well-known groups where CDH holds but DHKE is not IND secure

34. ddh We introduce again a tautological assumption, DDH
Decisional Diffie-Hellman, known since 70s => good
...in many groups
DDH is extremely useful in many protocols
Well-known groups where DDH does not hold
pairing-based groups: CDH conjectured to be hard, but DDH trivially breakable
interestingly, p-b groups are also extremely useful

35. DEF: DDH security Game DDH(G,A) Use (DHKE.Setup, DHKE.Keygen, DHKE.SK)
gk ← Setup(κ)
(skₐ,pkₐ)←Keygen (gk)
(skb,pkb)←Keygen (gk)
sk₀ ← SK (gk, pkₐ, pkb)
sk₁ ← G
e ← {0, 1}
e* ← A (gk,pkₐ,pkb,skₑ)
Return e = e* ? 1 : 0
Use (DHKE.Setup, DHKE.Keygen, DHKE.SK)
Assume that for any κ, Setup picks exactly one group G = G(κ)
Adv[DDH] := | Pr[DDH = 1] - 1 / 2 |
A ε-breaks DDH in G iff Adv[DDH] ≥ ε
G is a (τ,ε)-DDH group iff no PPT adversary A ε-breaks DDH in G in time ≤ τ
G is a DDH group iff it is (poly(κ),negl(κ))- DDH group

36. DDH: Short form Fix a cyclic group G and its generator g
Adversary has to distinguish between
(g, gˢ, gᵗ, gˢᵗ) -- DDH tuple
(g, gˢ, gᵗ, gᵐ) -- random tuple
where s, t, m are random

37. DDH vs IND security
Clearly, a group is DDH is secure iff DHKE is IND secure in the same group
τ = τ (κ) and ε = ε (κ) are functions of κ

38. Home exercise:Very similar to previous proof. Finish! Find parameters
Proof: DDH => CDH
Theorem. If G is a (≈τ, ≈ε)-DDH group, then it is also a (τ, ε)-CDH group.
Proof idea. Reduction to absurd: we show that if CDH is easy in G, then DDH must also be easy in G.
CDH is easy => there exists an adversary D that breaks CDH
We show DDH is easy by constructing an adversary C that breaks DDH
C can use help from adversary D, by sending inputs to D and receiving outputs
Home exercise:Very similar to previous proof. Finish! Find parameters

39. Beyond ind: semihonest vs malicious
Actual security requirements even more stringent
KR, IND security only demonstrate basic concepts
We assumed Eve is semihonest
Eavesdrops but does not change messages
Malicious Eve: can change, inject, delete messages
Alice and Bob need to authenticate each other
"Authenticated Diffie-Hellman"
Crucial notions
Security of various protocols against malicious adversaries: second half of the course

40. What next? DDH is a very versatile assumption
One can construct many useful protocols from it
DDH
Encryption
Signatures
...
E-voting
CPIR
E-cash

41. What next?
Since many protocols are based on homomorphic encryption, the next lecture is about homomorphic encryption
More precisely: Elgamal encryption

42. Study outcomes Key exchange DHKE in particular KR security and CDH
IND security and DDH
Reductions: how to do