Cryptology ePrint Archive: Report 2007/473
Authenticated Key Exchange and Key Encapsulation Without Random Oracles
Abstract: This paper presents a new paradigm to realize cryptographic primitives such as authenticated key exchange and key encapsulation without random oracles under three assumptions: the decisional Diffie-Hellman (DDH) assumption, target collision resistant (TCR) hash functions and a class of pseudo-random functions (PRFs), $\pi$PRFs, PRFs with pairwise-independent random sources. We propose a (PKI-based) two-pass authenticated key exchange (AKE) protocol that is comparably as efficient as the existing most efficient protocols like MQV and that is secure without random oracles (under these assumptions). Our protocol is shown to be secure in the (currently) strongest security definition, the extended Canetti-Krawczyk
(eCK) security definition introduced by LaMacchia, Lauter and Mityagin. We also show that a variant of the Kurosawa-Desmedt key encapsulation mechanism (KEM) using a $\pi$PRF is CCA-secure under the three assumptions. This scheme is secure in a stronger security notion, the chosen public-key and ciphertext attack (CPCA) security,
with using a generalized TCR (GTCR) hash function in place of a TCR hash function. The proposed schemes in this paper are validity-check-free and the implication is that combining them with validity-check-free symmetric encryption (DEM) will yield validity-check-free (e.g., MAC-free) CCA-secure hybrid encryption.
Category / Keywords: public-key cryptography / key exchange, public-key cryptography, key encapsulation, pseudo-random function
Publication Info: This is a revised and full version of the extended abstract published in the proceedings of Asiacrypt 2007 as an invited talk manuscript.
Date: received 18 Dec 2007, last revised 26 Dec 2007
Contact author: okamoto tatsuaki at lab ntt co jp
Available format(s): PDF | BibTeX Citation
Note: I found several errors and typos in the previous version, and corrected them in this revised version.
Version: 20071226:081835 (All versions of this report)
Short URL: ia.cr/2007/473
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]