Breaking One-Round Key-Agreement Protocols in the Random Oracle Model

Breaking One-Round Key-Agreeme n t Proto cols in t he Random Oracle Mo del Mirosla v a Sot´ ak o v ´ a Department of Computer Science mirka@cs.a u.dk Abstract. In this pap er w e study one-round key-agree ment protocols an alog ous to Merkle’s puzzles in the random oracle mo del. The p la yers Alice and Bob are allo w ed to q uery a random p ermutatio n oracle n times and up on their qu eries and comm unication, t hey b oth output the same key with high probabilit y . W e p ro ve that Eve can alw ays break such a proto col by querying the oracle O ( n 2 ) times. The long-time un pro ven optimalit y of the quadratic b ound in the fully general, multi-round scenario has been sho wn recently by Barak and Mahmo ody- Ghidary . The results in this paper hav e b een found indep endently of th eir w ork. 1 In tr o duction In this pap er, w e find a tigh t upp er b ound on the n umb er of queries needed to break a k ey- agreemen t proto col in the random oracle mo del. Key-agreemen t proto cols called Merkle’s pu zzles w ere constructed b y Ralph Me r kle in 1974 but only published in 1978 [1]. They are one of th e earliest examples of pu blic-k ey cryptographic p rotocols. The key-a greement ala Merkle b et w een Alice and Bob pr oceeds as follo ws: Alice constructs a large n u m b er of puzzles, eac h of them b eing p ossible to solv e with Bob’s computational r esources. In other w ord s, all of them are in th e form of an encrypted message with an unknown key that is short enough to allo w for a brute force attac k. After receiving the m essage from Alice , Bob c ho oses one puzzle u niformly at rand om an d solves it. The solution contai ns an iden tifi er and a k ey . Bob encrypts the id en tifier with the k ey , and announces it bac k to Alice. The s olution of the puzzle solved b y Bob b ecomes Alice’s and Bob’s secret key . Since the pu zzle’ s ident ifier is sen t to Alice as a message encryp ted with a key that is unkn o wn to Ev e, the ea vesdropp er’s b est strategy to attac k suc h a proto col is to solv e as many p uzzles as p ossible. T o ac hieve constan t probabilit y of success, Eve h as to solv e a constant fractio n of them, whic h migh t require m uc h more compu tatio nal p o wer than wh at is needed b y the legitimate p lay ers. In a s im ilar w ay w e construct a k ey-agreemen t proto col in the random oracle scenario, where the computational diffi cu lt y of a k ey-agreemen t proto col is expressed b y the n umb er of oracle queries that Alice and Bob mak e in order to agree on a secret ke y . In stead of creating man y puzzles, Alice qu er ies the oracle in man y p ositions that are unknown to b oth Bob and Ev e, and sends the images of the qu er ied elemen ts to Bob. Bob queries the oracle in su fficien tly many p ositions to get a collision with Alice’s set of queries with h igh probabilit y . He recog nizes the collision from Alice’s message and rep orts it bac k to Alice b y its identifier – th e oracle image. Th e pre-image b ecomes Alice’s and Bob’s secret key . In addition to only few queries, the comm unication giv es Eve a little information ab out the key , since the oracle is random. With the same num b er of queries as Bob, sh e w ould find a collision with Alice’s s et of qu eries with high pr obabilit y , but not necessarily th e one found by Bob. Hence, find ing the right elemen t migh t require significantly more oracle queries th an Alice and Bob n eeded to agree on the ke y . Un til recen tly , the b est upp er b ound on Ev e’s num b er of queries n eeded to break suc h proto cols ha ve b een sho w n b y Im pagliaz zo and Rudic h [2]. They pr o v e that in any k ey-agreemen t pr otocol based on a random-p ermutat ion oracle, where Alice and Bob agree on the secret k ey in n roun d s in su c h a w ay that they query only one qu ery p er round (n orm al form of a pr otocol), Ev e needs at most O ( n 3 ) oracle queries to output a secret k ey guess th at matc h es w ith Bob’s secret key w ith the same p robabilit y as Alice’s k ey do es. F or a p rotocol in the general form, O ( n 6 ) are sufficient for an attac k, w hic h can b e pr ov en b y showing that an y proto col can b e transformed in to its normal form with at m ost quadratic blow-up in the num b er of oracle q u eries made by the pla yers. In [2], the question is studied in the larger con text to sho w that p ossib ility of secure k ey-agreemen t relativ e to some random p erm u tation oracle implies P 6 = NP. In other w ord s, pr oofs for showing that existence of one-wa y f unctions implies existence of secure k ey-agreemen t do not relativize. The b ound from [2] has b een impro ved recentl y by Barak and Mahmo o dy-Ghidary [3] w ho sho w that in fact, O ( n 2 ) are s ufficien t for Eve’s attac k. In our p ap er w e deal w ith one-round ke y-agreemen t p rotocols where Alice and Bob qu ery the oracle a and b times, resp ectiv ely . Such p rotocols form a s u bset of pr otocols w hose normal form consists of a + b r ou n ds. W e p ro v e the tigh t – O (( a + b ) 2 ) upp er b ound on the n u m b er of queries Ev e needs to break th e proto col. Throughout the pap er, w e use the follo w ing n otat ion: χ A denotes the charact eristic function of set A , E ( X ) denotes the mean v alue of random v ariable X , and E c ( X ) denotes the mean v alue of X , conditioned on in formation c . 2 One-Round Key-Agreemen t Proto cols In this section, we mo del one round ke y-agreemen t proto cols b etw een Alice and Bob. W e as- sume that Alice, Bob, and an ea v esd ropp er Ev e h a v e access to an oracle computing a random p ermuta tion f on { 1 , . . . , n } . W e defin e a one-roun d k ey-agreemen t p r otocol as follo w s : Proto col 1 Giv en n ∈ N and an oracle compu ting a rand om p ermuta tion f on { 1 , . . . , n } , 1. Alice queries the oracle f in p ositions A 1 ∈ { 1 , . . . , n } ≤ a , compu tes a message c A and send s it to Bob. 2. Bob, give n c A , queries the oracle f in p ositio ns B ∈ { 1 , . . . , n } ≤ b , computes message c B and sends it to Alice. Bob generates the secret k ey k B ∈ { 0 , 1 } ℓ , k B = g B ( B , f ( B ) , c = ( c A , c B ) , R B ), where R B denotes h is lo cal randomness. 3. Alice, given c , qu eries the oracle in p ositions A 2 ⊆ { 1 , . . . , n } suc h that for A := A 1 ∪ A 2 , |A| ≤ a , and generates the secret k ey k A ∈ { 0 , 1 } ℓ , k A = g A ( A , f ( A ) , c, R A ), where R A denotes her lo cal randomness. W e d enote b y ( a, b, ε )–k ey-agreemen t an y one-round k ey-agreemen t proto col defined as ab o ve and satisfying the follo w ing cond ition: Pr [ k A 6 = k B ] ≤ ε wh ere ε < 1 is a constan t. Notice that a and b are fun ctions of n , but for simplicit y we refer to them by a and b , instead of using a ( n ) and b ( n ), if the latter one is not explicitly needed. S ince k ey-agreemen t p rotocols tak e place b et we en p la y ers Alice and Bob sharing n o initial secret, the k ey generation mec hanism m u st inv olv e only common queries to the oracle f . W e sa y that Ev e breaks the protocol if s h e outputs a string that agrees with Bob’s k ey with the same probabilit y as Alice do es. Lemma 2.1. In or der to br e ak an ( a, b, ε ) –key-agr e ement pr oto c ol it i s su ffic i ent for Eve to q u ery al l interse ction qu e ries of Alic e and Bob use d f or the gener ation of Alic e’s se cr et key. Pr o of. Eve querying all element s in A 1 ∩ B can construct a p ermutatio n f ′ matc hing with f on E (Ev e’s queries), and a set A ′ 1 of queries to the oracle computing f ′ suc h th at c A = c A ′ 1 and f ′ is consistent with c B . Therefore, after qu erying B , Bob has exactly the same view ab out A 1 as he has about A ′ 1 . Ev e constructs the set A ′ 2 according to A ′ 1 and c , and then “queries” the f ′ -oracle on the p ositions in A ′ 2 . Finally , she generates her secret key k E = g A ( A ′ , f ( A ′ ) , c, R A ′ ), where A ′ := A ′ 1 ∪ A ′ 2 . F rom Bob’s p oint of view, b oth k E and k A are generated from th e same s et K ⊆ A ∩ B , i.e. Pr[ k B = k E ] = Pr[ k B = k A ]. ⊓ ⊔ 3 Pro of of the Quadratic Upp er Bound W e will consider th e follo wing attac k of an ( a, b, ε )–k ey-agreemen t protocol: 1. E v e rep eats Bob’s querying strategy γ a times for some constan t γ (i.e. mak es γ ab oracle queries) in order to query all queries in A 1 ∩ B with constant pr obabilit y 2. E v e extracts the p osition of th e A 2 -queries f rom c B and qu er ies the oracle on these p ositions ( a oracle queries) Next we p ro ve that w ith the prop osed strategy Eve breaks the proto col with constant proba- bilit y . Lemma 3.1. By r ep e ating Bob’s str ate gy indep endently 5 a times, E v e finds al l elements in A 1 ∩ B with c onstant pr ob ability. Pr o of. Let A and B denote the random v ariables asso ciated with Alice querying the elemen ts in A 1 and Bob querying th e elemen ts in B , resp ectiv ely . Let E denote the random v ariable asso ciate d w ith the set of Ev e’s queries E . W.l.o.g., assume that for x, y ∈ { 1 , . . . , n } , x ≤ y , P χ B ( x ) | c A (1) ≤ P χ B ( y ) | c A (1) . Define A 0 1 := A 1 , B 0 := B , A 0 = A , B 0 := B , s 0 := E c A ( | A 1 ∩ B | ), and n 0 := n . In the i -th step, d efine n i +1 , A i +1 1 , B i +1 , A i +1 , B i +1 , s i +1 in order to satisfy the follo wing: ∀ x ∈ { n i +1 + 1 , . . . , n i } : P χ B ( x ) | c A (1) ≥ s i 2 a , A i +1 1 := A 1 \ { n i +1 + 1 , . . . , n } , B i +1 := B \ { n i +1 + 1 , . . . , n } , let A i +1 , B i +1 denote the corre- sp onding rand om v ariables, and set s i +1 := E c A ( | A i +1 1 ∩ B i +1 | ) . F ur thermore, consider u such that Pr[ A 1 ∩ B ⊆ { n u + 1 , . . . , n }| c A ] ≥ 1 2 . First, we prov e that 1. th ere exists u ∈ N with the desired prop erty 2. n i +1 < n i for i ∈ { 0 , . . . , u − 1 } 3. s i − s i +1 ≥ 1 for i ∈ { 0 , . . . , u − 1 } 4. s u ≥ 1 W e can w rite: s i = E c A ( | A i 1 ∩ B i | ) = X A , |A|≤ a P A i | c A ( A ) X B , |B|≤ b P A∩ B i | c A ( |A ∩ B | ) (1) hence, there exists at least one A ⊆ { 1 , . . . , n } ≤ a suc h that P B , |B|≤ b P A∩ B i | c A ( |A ∩ B | ≥ s i . Let us c h oose one suc h ¯ A . Then s i ≤ X B , |B|≤ b P ¯ A∩ B i | c A ( B )( | ¯ A∩B | = X B , |B|≤ b X x ∈| ¯ A∩B| P B i | c A ( B ) = X x ∈ ¯ A X B : x ∈ ¯ A∩B P B i | c A ( B ) = X x ∈ ¯ A P χ B i ( x ) | c A (1) . Since | ¯ A| ≤ a , there is an x ∈ { 1 , . . . , n i } suc h that P χ B i ( x ) | c A (1) ≥ s i a . If we remo ve x ∈ { 1 , . . . , n i } suc h that P χ B i ( x ) | c A (1) ≥ s i 2 a , then s i +1 ≤ s i 2 . Since in ev ery step we remov e at least one x ∈ { 1 , . . . , n } , the pro cedur e terminates after finitely many s teps and therefore, u is well -defined and is at most n . Clearly , for s i < 1 w e ha v e Pr[ A i +1 1 ∩ B i +1 = ∅| c A ] > 1 2 , implying that w ith probability at least 1 / 2 w e hav e A 1 ∩ B ⊆ { n i + 1 , . . . , n } . Therefore s u ≥ 1 and f or i ∈ { 0 , . . . , u − 1 } : s i − s i +1 ≥ s i 2 ≥ s u − 1 2 ≥ 1 . W e finish the p r oof of the statemen t by sh owing that b y rep eating Bo b ’s str ategy 5 a times indep endently , Eve queries all elemen ts in A 1 ∩ B with p robabilit y at least 1 / 8. F or x ∈ { n i +1 + 1 , . . . , n i } , Eve do es not query x with p r obabilit y P χ E ( x ) | c A (0) ≤  1 − s i 2 a  a ≤ e − s i / 2 . That means that in the case wher e |A i 1 ∩ B i ∩ { n i +1 + 1 , . . . , n i }| ≤ e s i / 2 2 s 2 i , the p robabilit y that Ev e do es not qu er y at least one element in { n i +1 , . . . , n i } ∩ A i 1 ∩ B i is Pr   Y x ∈{ n i +1 ,...,n i }∩A i 1 ∩B i χ E ( x ) = 0 | c A   ≤ e s i / 2 2 s 2 i · e − s i / 2 = 1 2 s 2 i . Since th e exp ected num b er of elemen ts in A i 1 ∩ B i ∩ { n i +1 + 1 , . . . , n i } is s i , Mark ov’s in equalit y implies that this happ ens with probabilit y at most 2 s 3 i e s i / 2 . Hence, there exists i , 0 ≤ i < u , suc h that |A i 1 ∩ B i ∩ { n i +1 + 1 , . . . , n i }| > e s i / 2 2 s 2 i with pr obabilit y at most P u i =0 2 s 3 i e s i / 2 . Th e f unction 2 x 3 e x/ 2 is decreasing for x ≥ 6, yielding u ′ − 1: s u ′ ≥ 6 X i =0 2 s 3 i e s i / 2 ≤ u ′ − 1: s u ′ ≥ 6 X i =0 ( s i − s i +1 ) 2 s 3 i e s i / 2 ≤ Z ∞ x = s u ′ 2 x 3 e x/ 2 d x. Then for s u ′ ≥ 28 w e obtain: u ′ − 1: s u ′ ≥ 28 X i =0 2 s 3 i e s i / 2 < 1 8 . F ur thermore, for s i < 28 (there are at most 5 of them, since s i +1 ≤ s i / 2 and s u ≥ 1), the probabilit y th at A i 1 ∩ B i ∩ { n i +1 + 1 , . . . , n i } con tains more than 40 s i elemen ts is at m ost 1 / 40, b y Mark ov’s inequalit y . The pr obabilit y that there exists an i, 0 ≤ i < u suc h that | A 1 ∩ B ∩ { n i +1 , . . . , n i }| > max { 40 s i , e s i / 2 2 s 2 i } is therefore at most 1 8 + 5 40 = 1 4 . If this happ ens, w e sa y that A 1 ∩ B h as a “bad structur e” f or finding all its element s by Ev e. It is suffi cien t for Eve to rep eat Bob’s alg orithm (lo g 80 + 3 log s i ) a/s i ≤ 5 a times to get all elemen ts in A 1 ∩ B ∩ { n i +1 , . . . , n i } , i ≥ u ′ , assuming that there are n o m ore th an 40 s i of them, with pr obabilit y at least 1 − 1 2 s 2 i . In other w ord s, with 5 a in dep enden t iteratio ns of Bob’s strategy , Eve d oes not query at least one element of well- structured A 1 ∩ B ∩ { n u + 1 , . . . , n } = A 1 ∩ B with p robabilit y Pr   Y x ∈{ n u +1 ,...,n }∩ A 1 ∩ B χ E ( x ) = 0 |C A   ≤ 1 2 · u X i =0 1 s 2 i ≤ u − 1 X i =0 ( s i − s i +1 ) · 1 2 s 2 i + 1 2 s 2 u ≤ 1 2 · Z ∞ x = s u d x x 2 = 1 2 s u ≤ 1 2 . Since A 1 ∩ B ( { n u + 1 , . . . , n } w ith pr obabilit y at most 1 2 , and A 1 ∩ B is ill-structured with probabilit y at most 1 4 , A 1 ∩ B ⊆ { n u + 1 , . . . , n } and is well-structured with probability at least 1 4 . In this case Eve queries all inte r section elements w ith p robabilit y at least 1 2 hence, Ev e finds all inte rsection queries of A 1 and B with pr obabilit y at least 1 8 . ⊓ ⊔ Theorem 3.2. Eve c an br e ak an ( a, b, ε ) –key-agr e ement pr oto c ol with O (( a + b ) 2 ) queries with c onstant pr ob ability. Pr o of. As w e claim in the pro of of Lemma 2.1, Ev e querying all elemen ts in A 1 ∩ B needs at most |A 2 | ≤ a queries m ore to generate the k ey that matc hes with Bob’s secret k ey with th e same probability as Alice ’s key d oes. Lemma 3.1 sho w s that Ev e can alw a ys query all elements in A 1 ∩ B with p robabilit y 1 / 8 with at most 5 ab queries. Th erefore, Ev e can break the proto col with constant probability with 5 ab + a ∈ O (( a + b ) 2 ) oracle queries. ⊓ ⊔ 4 Optimalit y of t he B ound Consider th e follo wing proto col: Proto col 2 1. Alice c h ooses a set A ⊆ { 1 , . . . , n } , |A| = a = ⌈ √ n ⌉ uniformly at r andom, queries the oracle for the elemen ts of A , and sends c A = { f ( x ) : x ∈ A } to Bob. 2. Bob c ho oses a set B ⊆ { 1 , . . . , n } , |B | = b = ⌈ √ n ⌉ u niformly at random, queries the elements of B , c ho oses a collision elemen t k ∈ { f ( y ) : y ∈ B } ∩ c A at random, and sends c B = { f ( k ) } to Alice. He outpu ts the key k . 3. Alice recognizes k according to c B and A , and outpu ts the ke y k . A tt ac k : With a constant probabilit y , Bob finds at least one collision with Alice’s s et of qu eries due to the birth d a y p arad ox, and therefore, the giv en pr otocol is an example of ( √ n, √ n, ε )-k ey- agreemen t proto col for some constan t ε < 1. Give n just c , the secret ke y is uniformly distributed in { 1 , . . . , n } and fur thermore, since the oracle is random, Ev e kno w ing the oracle image for only o ( n ) elemen ts still has (1 − o (1)) log n en tr op y ab out f ( x ) for x / ∈ E . Hence, E v e has to qu ery the oracle in Θ ( n ) p ositions to get the righ t secret key with constant p robabilit y , implying that th e optimal Ev e’s strategy to br eak the proto col with constan t pr obabilit y m u st in volv e O ( n ) = O (( a + b ) 2 ) oracle qu er ies. 5 Conclusion W e p ro vided an analysis of the most commonly considered attac k of these t yp e of k ey-agreemen t proto cols wh ere the attac ker iterates the pla y ers’ strateg ies with gradually up dated in formation in the case of one-round proto cols. Originally , we were h oping to generalize the result to app ly in the multi-round scenario, whic h has b een done very recen tly by Barak and Mahmo o dy-Ghidary . 6 Ac knowledgem en ts W e thank Louis Salv ail w ho in tr od uced me into the Merkle’s pu zzles problem. References 1. Merkle, R. C. Secure communications ov er insecure channels. Communic ations of the A sso ciation for Com- puting Machinery 21 , 4 (Ap r. 1978), 294–299. 2. Imp agliazzo, R., and Rudich, S. Limits on the prov able consequences of one-wa y p ermutations. In STOC ’89: Pr o c e e dings of the twenty-first annual ACM symp osium on The ory of c omputing (New Y ork, N Y, US A, 1989), ACM Press, pp. 44–61. 3. Barak, B., and Mahmoody-Ghidar y, M. Merkle Puzzles are Optimal http://www .citebase .org/abstr act?id=oai:arXiv.org:0801.3669 , 2008.