$$textsf {TOPAS}$$ 2-pass key exchange with full perfect forward secrecy and optimal communication complexity

IF 1.4 2区数学 Q3 COMPUTER SCIENCE, THEORY & METHODS

Designs, Codes and Cryptography Pub Date : 2024-07-27 DOI:10.1007/s10623-024-01429-3

Sven Schäge

{"title":"$$textsf {TOPAS}$$ 2-pass key exchange with full perfect forward secrecy and optimal communication complexity","authors":"Sven Schäge","doi":"10.1007/s10623-024-01429-3","DOIUrl":null,"url":null,"abstract":"We present Transmission optimal protocol with active security (\$\\textsf {TOPAS}\$), the first key agreement protocol with optimal communication complexity (message size and number of rounds) that provides security against fully active adversaries. The size of the protocol messages and the computational costs to generate them are comparable to the basic Diffie-Hellman protocol over elliptic curves (which is well-known to only provide security against passive adversaries). Session keys are indistinguishable from random keys—even under reflection and key compromise impersonation attacks. What makes \$\\textsf {TOPAS}\$stand out is that it also features a security proof of full perfect forward secrecy (PFS), where the attacker can actively modify messages sent to or from the test-session. The proof of full PFS relies on two new extraction-based security assumptions. It is well-known that existing implicitly-authenticated 2-message protocols like \$\\textsf {HMQV}\$cannot achieve this strong form of (full) security against active attackers (Krawczyk, Crypto’05). This makes \$\\textsf {TOPAS}\$the first key agreement protocol with full security against active attackers that works in prime-order groups while having optimal message size. We also present a variant of our protocol, \$\\textsf {TOPAS+}\$, which, under the Strong Diffie-Hellman assumption, provides better computational efficiency in the key derivation phase. Finally, we present a third protocol termed \$\\textsf {FACTAS}\$(for factoring-based protocol with active security) which has the same strong security properties as \$\\textsf {TOPAS}\$and \$\\textsf {TOPAS+}\$but whose security is solely based on the factoring assumption in groups of composite order (except for the proof of full PFS).","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"60 1","pages":""},"PeriodicalIF":1.4000,"publicationDate":"2024-07-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"$$\\\\textsf {TOPAS}$$ 2-pass key exchange with full perfect forward secrecy and optimal communication complexity\",\"authors\":\"Sven Schäge\",\"doi\":\"10.1007/s10623-024-01429-3\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"We present Transmission optimal protocol with active security (\\\$\\\\textsf {TOPAS}\\\$), the first key agreement protocol with optimal communication complexity (message size and number of rounds) that provides security against fully active adversaries. The size of the protocol messages and the computational costs to generate them are comparable to the basic Diffie-Hellman protocol over elliptic curves (which is well-known to only provide security against passive adversaries). Session keys are indistinguishable from random keys—even under reflection and key compromise impersonation attacks. What makes \\\$\\\\textsf {TOPAS}\\\$stand out is that it also features a security proof of full perfect forward secrecy (PFS), where the attacker can actively modify messages sent to or from the test-session. The proof of full PFS relies on two new extraction-based security assumptions. It is well-known that existing implicitly-authenticated 2-message protocols like \\\$\\\\textsf {HMQV}\\\$cannot achieve this strong form of (full) security against active attackers (Krawczyk, Crypto’05). This makes \\\$\\\\textsf {TOPAS}\\\$the first key agreement protocol with full security against active attackers that works in prime-order groups while having optimal message size. We also present a variant of our protocol, \\\$\\\\textsf {TOPAS+}\\\$, which, under the Strong Diffie-Hellman assumption, provides better computational efficiency in the key derivation phase. Finally, we present a third protocol termed \\\$\\\\textsf {FACTAS}\\\$(for factoring-based protocol with active security) which has the same strong security properties as \\\$\\\\textsf {TOPAS}\\\$and \\\$\\\\textsf {TOPAS+}\\\$but whose security is solely based on the factoring assumption in groups of composite order (except for the proof of full PFS).\",\"PeriodicalId\":11130,\"journal\":{\"name\":\"Designs, Codes and Cryptography\",\"volume\":\"60 1\",\"pages\":\"\"},\"PeriodicalIF\":1.4000,\"publicationDate\":\"2024-07-27\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Designs, Codes and Cryptography\",\"FirstCategoryId\":\"100\",\"ListUrlMain\":\"https://doi.org/10.1007/s10623-024-01429-3\",\"RegionNum\":2,\"RegionCategory\":\"数学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Designs, Codes and Cryptography","FirstCategoryId":"100","ListUrlMain":"https://doi.org/10.1007/s10623-024-01429-3","RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

摘要

我们提出了具有主动安全性的最优传输协议（$\textsf {TOPAS}$），这是第一个具有最优通信复杂度（报文大小和回合数）的密钥协议，可提供对抗完全主动对手的安全性。协议信息的大小和生成信息的计算成本与椭圆曲线上的基本 Diffie-Hellman 协议不相上下（众所周知，后者只能提供针对被动对手的安全性）。会话密钥与随机密钥是无法区分的--即使在反射和密钥泄露冒充攻击下也是如此。让 \(\textsf {TOPAS}/)脱颖而出的是：它还具有完全完美前向保密（PFS）的安全证明，攻击者可以主动修改发送到测试会话或从测试会话发送的信息。完全前向保密的证明依赖于两个新的基于提取的安全假设。众所周知，现有的隐式验证双消息协议（如\(\textsf {HMQV}\ ）无法实现这种针对主动攻击者的（完全）强安全形式（Krawczyk，Crypto'05）。这使得（\textsf {TOPAS}/）成为第一个针对主动攻击者的具有完全安全性的密钥协议，它可以在质阶组中运行，同时具有最优的消息大小。我们还提出了我们协议的一个变体--（\textsf {TOPAS+}/），在强迪菲-赫尔曼假设下，它在密钥推导阶段提供了更好的计算效率。最后，我们提出了第三个协议，称为（\textsf {FACTAS}\）（表示基于保理的主动安全协议），它与（\textsf {TOPAS}\）和（\textsf {TOPAS+}\）具有相同的强安全特性，但其安全性完全基于复合阶分组中的保理假设（除了全PFS的证明）。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

$$$\textsf {TOPAS}$$ 2-pass key exchange with full perfect forward secrecy and optimal communication complexity$

查看原文本刊更多论文

$$\textsf {TOPAS}$$ 2-pass key exchange with full perfect forward secrecy and optimal communication complexity

We present Transmission optimal protocol with active security ($\textsf {TOPAS}$), the first key agreement protocol with optimal communication complexity (message size and number of rounds) that provides security against fully active adversaries. The size of the protocol messages and the computational costs to generate them are comparable to the basic Diffie-Hellman protocol over elliptic curves (which is well-known to only provide security against passive adversaries). Session keys are indistinguishable from random keys—even under reflection and key compromise impersonation attacks. What makes $\textsf {TOPAS}$stand out is that it also features a security proof of full perfect forward secrecy (PFS), where the attacker can actively modify messages sent to or from the test-session. The proof of full PFS relies on two new extraction-based security assumptions. It is well-known that existing implicitly-authenticated 2-message protocols like $\textsf {HMQV}$cannot achieve this strong form of (full) security against active attackers (Krawczyk, Crypto’05). This makes $\textsf {TOPAS}$the first key agreement protocol with full security against active attackers that works in prime-order groups while having optimal message size. We also present a variant of our protocol, $\textsf {TOPAS+}$, which, under the Strong Diffie-Hellman assumption, provides better computational efficiency in the key derivation phase. Finally, we present a third protocol termed $\textsf {FACTAS}$(for factoring-based protocol with active security) which has the same strong security properties as $\textsf {TOPAS}$and $\textsf {TOPAS+}$but whose security is solely based on the factoring assumption in groups of composite order (except for the proof of full PFS).

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Designs, Codes and Cryptography 工程技术-计算机：理论方法

CiteScore

2.80

自引率

12.50%

发文量

157

审稿时长

16.5 months

期刊介绍： Designs, Codes and Cryptography is an archival peer-reviewed technical journal publishing original research papers in the designated areas. There is a great deal of activity in design theory, coding theory and cryptography, including a substantial amount of research which brings together more than one of the subjects. While many journals exist for each of the individual areas, few encourage the interaction of the disciplines. The journal was founded to meet the needs of mathematicians, engineers and computer scientists working in these areas, whose interests extend beyond the bounds of any one of the individual disciplines. The journal provides a forum for high quality research in its three areas, with papers touching more than one of the areas especially welcome. The journal also considers high quality submissions in the closely related areas of finite fields and finite geometries, which provide important tools for both the construction and the actual application of designs, codes and cryptographic systems. In particular, it includes (mostly theoretical) papers on computational aspects of finite fields. It also considers topics in sequence design, which frequently admit equivalent formulations in the journal’s main areas. Designs, Codes and Cryptography is mathematically oriented, emphasizing the algebraic and geometric aspects of the areas it covers. The journal considers high quality papers of both a theoretical and a practical nature, provided they contain a substantial amount of mathematics.