## Cryptology ePrint Archive: Report 2007/473

Authenticated Key Exchange and Key Encapsulation Without Random Oracles

Tatsuaki Okamoto

Abstract: This paper presents a new paradigm to realize cryptographic primitives such as authenticated key exchange and key encapsulation without random oracles under three assumptions: the decisional Diffie-Hellman (DDH) assumption, target collision resistant (TCR) hash functions and a class of pseudo-random functions (PRFs), $\pi$PRFs, PRFs with pairwise-independent random sources. We propose a (PKI-based) two-pass authenticated key exchange (AKE) protocol that is comparably as efficient as the existing most efficient protocols like MQV and that is secure without random oracles (under these assumptions). Our protocol is shown to be secure in the (currently) strongest security definition, the extended Canetti-Krawczyk (eCK) security definition introduced by LaMacchia, Lauter and Mityagin. We also show that a variant of the Kurosawa-Desmedt key encapsulation mechanism (KEM) using a $\pi$PRF is CCA-secure under the three assumptions. This scheme is secure in a stronger security notion, the chosen public-key and ciphertext attack (CPCA) security, with using a generalized TCR (GTCR) hash function in place of a TCR hash function. The proposed schemes in this paper are validity-check-free and the implication is that combining them with validity-check-free symmetric encryption (DEM) will yield validity-check-free (e.g., MAC-free) CCA-secure hybrid encryption.

Category / Keywords: public-key cryptography / key exchange, public-key cryptography, key encapsulation, pseudo-random function

Publication Info: This is a revised and full version of the extended abstract published in the proceedings of Asiacrypt 2007 as an invited talk manuscript.

Date: received 18 Dec 2007, last revised 26 Dec 2007

Contact author: okamoto tatsuaki at lab ntt co jp

Available format(s): PDF | BibTeX Citation

Note: I found several errors and typos in the previous version, and corrected them in this revised version.

[ Cryptology ePrint archive ]