当前位置:
X-MOL 学术
›
arXiv.cs.CR
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
On the Communication Complexity of Key-Agreement Protocols
arXiv - CS - Cryptography and Security Pub Date : 2021-05-05 , DOI: arxiv-2105.01958 Iftach Haitner, Noam Mazor, Rotem Oshman, Omer Reingold, Amir Yehudayoff
arXiv - CS - Cryptography and Security Pub Date : 2021-05-05 , DOI: arxiv-2105.01958 Iftach Haitner, Noam Mazor, Rotem Oshman, Omer Reingold, Amir Yehudayoff
Key-agreement protocols whose security is proven in the random oracle model
are an important alternative to protocols based on public-key cryptography. In
the random oracle model, the parties and the eavesdropper have access to a
shared random function (an "oracle"), but the parties are limited in the number
of queries they can make to the oracle. The random oracle serves as an
abstraction for black-box access to a symmetric cryptographic primitive, such
as a collision resistant hash. Unfortunately, as shown by Impagliazzo and
Rudich [STOC '89] and Barak and Mahmoody [Crypto '09], such protocols can only
guarantee limited secrecy: the key of any $\ell$-query protocol can be revealed
by an $O(\ell^2)$-query adversary. This quadratic gap between the query
complexity of the honest parties and the eavesdropper matches the gap obtained
by the Merkle's Puzzles protocol of Merkle [CACM '78]. In this work we tackle a new aspect of key-agreement protocols in the random
oracle model: their communication complexity. In Merkle's Puzzles, to obtain
secrecy against an eavesdropper that makes roughly $\ell^2$ queries, the honest
parties need to exchange $\Omega(\ell)$ bits. We show that for protocols with
certain natural properties, ones that Merkle's Puzzle has, such high
communication is unavoidable. Specifically, this is the case if the honest
parties' queries are uniformly random, or alternatively if the protocol uses
non-adaptive queries and has only two rounds. Our proof for the first setting
uses a novel reduction from the set-disjointness problem in two-party
communication complexity. For the second setting we prove the lower bound
directly, using information-theoretic arguments.
中文翻译:
密钥协商协议的通信复杂性
在随机预言模型中证明其安全性的密钥协商协议是基于公钥密码学的协议的重要替代方案。在随机预言模型中,当事方和窃听者可以访问共享的随机函数(“预言”),但是当事方可以对预言进行查询的次数受到限制。随机预言机充当黑匣子访问对称密码原语(例如抗冲突哈希)的抽象。不幸的是,如Impagliazzo和Rudich [STOC '89]以及Barak和Mahmoody [Crypto '09]所示,此类协议只能保证保密性:任何$ \ ell $ -query协议的键都可以由$ O( \ ell ^ 2)$-查询对手。诚实方的查询复杂性和窃听者之间的二次缺口与Merkle的Merkle拼图协议[CACM '78]所获得的缺口相匹配。在这项工作中,我们解决了随机预言模型中密钥协商协议的新方面:它们的通信复杂性。在Merkle的《拼图》中,要获得对大约进行\\ ell ^ 2 $查询的窃听者的保密性,诚实方需要交换$ \ Omega(\ ell)$位。我们证明,对于具有某些自然属性的协议(默克尔之谜所具有的协议)来说,如此高的沟通是不可避免的。具体来说,如果诚实方的查询是统一随机的,或者协议使用非自适应查询且只有两轮,则情况就是这样。我们对第一种设置的证明使用了一种新颖的减少两方通信复杂性的集不相交问题的方法。对于第二种设置,我们使用信息论证直接证明了下界。
更新日期:2021-05-06
中文翻译:
密钥协商协议的通信复杂性
在随机预言模型中证明其安全性的密钥协商协议是基于公钥密码学的协议的重要替代方案。在随机预言模型中,当事方和窃听者可以访问共享的随机函数(“预言”),但是当事方可以对预言进行查询的次数受到限制。随机预言机充当黑匣子访问对称密码原语(例如抗冲突哈希)的抽象。不幸的是,如Impagliazzo和Rudich [STOC '89]以及Barak和Mahmoody [Crypto '09]所示,此类协议只能保证保密性:任何$ \ ell $ -query协议的键都可以由$ O( \ ell ^ 2)$-查询对手。诚实方的查询复杂性和窃听者之间的二次缺口与Merkle的Merkle拼图协议[CACM '78]所获得的缺口相匹配。在这项工作中,我们解决了随机预言模型中密钥协商协议的新方面:它们的通信复杂性。在Merkle的《拼图》中,要获得对大约进行\\ ell ^ 2 $查询的窃听者的保密性,诚实方需要交换$ \ Omega(\ ell)$位。我们证明,对于具有某些自然属性的协议(默克尔之谜所具有的协议)来说,如此高的沟通是不可避免的。具体来说,如果诚实方的查询是统一随机的,或者协议使用非自适应查询且只有两轮,则情况就是这样。我们对第一种设置的证明使用了一种新颖的减少两方通信复杂性的集不相交问题的方法。对于第二种设置,我们使用信息论证直接证明了下界。