Communication Lower Bounds of Key-Agreement Protocols
Communication Lower Bounds of
Key-Agreement Protocols via
Density Increment Arguments
Mi-Ying (Miryam) Huang
Xinyu Mao
Guangxu Yang
Jiapeng Zhang
1
Key-Agreement Protocols in
the
ROM
2
Upper
Bounds:
Merkle Puzzle [Merkle 78]
3
Merkle puzzle only provides a
quadratic
gap between the efficiency
of the honest parties and the attacker.
Can
we
do
better
?
[Noam23]
proposed
a
variant
of
the Merkle
Puzzle
with perfect completeness and the same security
.
Previous
Lower
bounds:
4
Intersection queries
The
heavy
query
techniques have found
wide
applications in the
context
of black-box
separations
and
the power
of random oracles in secure two-party computation
[KSY11, BKSY11, MP12
, DSLMM11, MMP14, HOZ13
]
.
Merkel
Puzzle
is
optimal
w.r.t.
query
complexity
of
the
attacker!
5
Non-adaptive
:
Alice and Bob decide their queries before protocol execution, i.e.,
their
queries
are
fully determined by
their
internal randomness.
Heavy
queries
and
analyze
the
communication
cost
via
ad
hoc
techniques
Communication
Lower
bounds
Our
Contribution
6
The
protocol
in
[Noam23]
is
optimal.
Technical
contribution:
1
、
Correlated
queries:
the
queries
are not
only
heavy
queries
but
also
highly
related
to
communication
transcripts.
2
、
Analyze
the
communication
cost
via
density
increment
arguments.
Correlated Queries
How
to
bound
the
expected
number
of
iterations?
Density
Increment
Argument
Summary
and
Proof
Outline
The
proof
outline
is
as follows:
Open
Problems
Imperfect
completeness?
Adaptive
protocols?
Other
applications
via
our
density
increment
argument
or
correlated
queries?
Thank you for listening
Key-agreement protocols play a vital role in secure communication between parties. This document explores lower bounds of key-agreement protocols through density increment arguments, idealization of symmetric primitives, Merkle puzzles, and the impact of communication bits between Alice and Bob. Various lower bounds, upper bounds, and contributions to improving protocol security are discussed, emphasizing the importance of communication efficiency and security guarantees.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
1 Communication Lower Bounds of Key-Agreement Protocols via Density Increment Arguments Mi-Ying (Miryam) Huang Xinyu Mao GuangxuYang Jiapeng Zhang
Key-Agreement Protocols in the ROM 2 Idealization of symmetric primitives E.g., one-way function, collision- resistant hash function Random function ?: ? [?] Attacker Alice Bob Communication Ouput ???? Ouput ???? Correctness: ????= ????(w.h.p.) Security: any attacker sees the transcript and makes a few queries cannot guess ????.
Upper Bounds:Merkle Puzzle [Merkle 78] 3 Sample ?1, ,? ? Query the oracle to get ? ?1, ,? ? [?] Sample ?1, ,? ? Query the oracle to get ? ?1, ,? ? [?] Random function ?: ? [?] ? ?1, ,? ? Send ? ?? If ? ?.?.? ?? = ?(??) Send ? ?1, ,? ? ? ?? Output ???? ?? Ouput ???? ?? Correctness: Merkle puzzle only provides a quadratic gap between the efficiency of the honest parties and the attacker. Set ? 10 2, ?1, ,? ?1, ,? If ? is large enough, ????= ????w.h.p. Security: the shared key ? is uniformly distributed The attacker should makes at least ( 2) queries. = 1 w.h.p. by birthday paradox. Can we do better ? [Noam23] proposed a variant of the Merkle Puzzle with perfect completeness and the same security.
Previous Lower bounds: 4 Impagliazzo and Rudich [IR89] Any key agreement protocol where Alice and Bob each make queries can be broken by the attacker with O( 6) queries. Intersection queries Barak and Mahmoody [BM09] Heavy queries Any key agreement protocol where Alice and Bob each make queries can be broken by the attacker with O( 2) queries. Pr[q Q(V)] . Merkel Puzzle is optimal w.r.t.query complexity of the attacker! The heavy query techniques have found wide applications in the context of black-box separations and the power of random oracles in secure two-party computation [KSY11, BKSY11, MP12, DSLMM11, MMP14, HOZ13].
Communication Lower bounds 5 The amount of communication bits betweenAlice and Bob is also Important in practice! For example,in Merkle s Puzzles, Alice and Bob need to exchange ( ) bits. Conjecture [HMOYR18] Any -query and c bits communication KA non-adaptive protocols could be broken by the attacker with ?(c )-queries. Non-adaptive: Alice and Bob decide their queries before protocol execution, i.e., their queries are fully determined by their internal randomness. Theorem [HMOYR18] Any -query and c bits communication KA non-adaptive two rounds protocols could be broken by the attacker with ?(c )-queries. Heavy queries and analyze the communication cost via ad hoc techniques
Our Contribution 6 MainTheorem Any -query and c bits communication KA non-adaptive and prefect completeness protocols could be broken by the attacker with ?(c )-queries. The protocol in [Noam23] is optimal. Perfect Completeness: Pr ????= ???? = 1 Technical contribution: 1 Correlated queries:the queries are not only heavy queries but also highly related to communication transcripts. 2 Analyze the communication cost via density increment arguments.
Correlated Queries Correlated Query Let ? be a transcript and ? be the current queries of the attacker .We say S ? is ?-correlated w.r.t. attacker s view ?,? if ? ? ? |??,??,? ? ? ? | ??,??,?,? ? Algorithm of the attacker: Initialize ? = 0 and ? = . While exists S ? is ?-correlated w.r.t. the attack s view ?,? with ? : Query ? on ? and receive ? ? . Update ? = ? ?,? ? and ? = ? + 1. How to bound the expected number of iterations? Output ? = max ? (??,??,?)|?,?[????(?) = ?] . Pr ? {0,1} (??,??,?)|?,?is the distribution of all possible execution condition on communication transcript ? and queries ?.
Density IncrementArgument Density Function Let ? be a transcript and ? be the queries of the attacker, the density function (?,?) is defined as follows: ?,? = ? ? |??,??,? ? ?| ??,??,?,? Lemma 1: The expected number of iterations of the algorithm is ?(CC( )/?). .. ?, ?,?1 ?2 ?,?1 ?,?1 ?? By Chain Rule, the density function decreases at least ? in expectation after ?-correlated queries in each iteration. Notice that the density function is always non-negative since ? is a uniform distribution condition on (??,??,?). ?, ? Thus,the expected number of iterations given ? is protocol is E? [ ?, and the expected number of iterations given ] ? ? ??,??,?) ? ? ??,??,?, ) ?( ) ??( ) ? ? ? ?
Summary and Proof Outline MainTheorem Any -query and c bits communication KA non-adaptive and prefect completeness protocols could be broken by the attacker with ?(c )-queries. The proof outline is as follows: Algorithm: The attacker queries the ?-correlated queries in each iteration and outputs the majority of the possible output based on it s view ?,? . Lemma 1: The expected number of iterations of the algorithm is ?(CC( )/?). Proved by density increment arguments. Lemma 2: The success probability of the algorithm is at least 1 ?. Proved by the rectangle view in communication complexity. We omitted the proof in this talk
Open Problems MainTheorem Any -query and c bits communication KA non-adaptive and prefect completeness protocols could be broken by the attacker with ?(c )-queries. Imperfect completeness? Adaptive protocols? Other applications via our density increment argument or correlated queries? Thank you for listening
