 Hi and welcome to my talk about Authenticated Key Exchange and Signatures with Tight Security in the Standard Model. My name is Doreen Riefel and this is joint work with Shoei Ha, Tiboyaga, Eike Kils, Shingli Liu, Joshin Pan and Sven Schäger. I will start with a general overview of Authenticated Key Exchange short AKE. We consider two users, Alice and Bob, they interact with each other and exchange some messages and in the end they will both compute a shared session key. This session key can then be used to encrypt further traffic. Correctness of the protocol tells us that those keys are the same, as long as both users receive the messages that the other user has sent. But of course, when looking at security of an AKE protocol, we also consider an adversary Eve. But we put Eve in between the interaction. That means Eve controls the message flow. She can drop, modify or inject messages. We also give her access to some secret information. For example, she can corrupt the long-term keys of users and reveal secret state information or session keys. We define two security goals. The first one is authentication. That means that the adversary cannot impersonate a user without corrupting it before. That is, without the knowledge of its long-term secret key. And the second goal is key indistinguishability, which is modeled with a so-called test oracle. And when Eve tests a particular session, she gets a challenge key and has to distinguish whether this is the real session key or a uniformly random key. Which brings me to some definitions about provable security. As usually done in cryptography, the security experiment, I just explained informally, is defined as a game between a challenger and an adversary. And we prove security by contradiction using a security reduction. That is, we assume there exists an adversary A against our group to graphic scheme. In this case, the AKE protocol. And we use A to build an adversary B against a computationally hard problem. However, we believe that this problem is hard to solve. So such an adversary A against our scheme cannot exist and our scheme is secure. In our work, we mainly focused on tightness. So let's define this. We call a security reduction, right? If A and B have about the same advantage and running time. And what I mean with about the same is that they only differ in a constant factor. In particular for AKE, they do not depend on the number of users or the number of sessions. And why this is interesting is because it tells us how to choose the system parameters. In fact, only a tight proof allows us to implement the protocol to theoretically sound. And given a non tight proof, want to think about increasing the system parameters. For example, the size of elliptical groups. And let me now explain why many AKE proofs are not tight. The first point I want to address here is the so-called commitment problem. I already gave you an idea about the security model, but actually we are not looking only at two users exchanging one session key. But we are looking at many users and each of them may be involved in many sessions. And for all sessions, the adversary can decide whether it wants to reveal the session key or whether it wants to test the session. So our security reduction needs to be able to answer both those queries. And one way to achieve this is to first guess the test session. But this directly comes with a huge security loss. And if we now consider many test sessions, this becomes even more tricky. So we have to avoid this guessing strategy. Another point is answering corruption queries. I already mentioned this. The adversary can decide to corrupt users, which means it reveals the long-term key of those users. And in many protocols, these long-term keys are signing keys, since we use signatures to achieve authentication during the protocol. And when considering tightness here, we run into another paradox. The reduction must be able to output signing keys for all users. But the knowledge of a signing key should allow the reduction to compute the signatures itself. So in this case, we must argue how we can still extract a solution to a hard problem from a signature that was forged by the adversary. And before now coming to the details of our results and how we solve these problems, I want to give a short comparison to previous work. The first tightly secure AKE was proposed by Baader et al. at TCC 2015. They also focused on the standard model, thus it's not surprising that their scheme was not really efficient, mainly because of their tree-based signature scheme. They also proposed another very efficient signature scheme, but it turned out that the proof is flawed and the signatures do not have the properties we need. I will come back to some more details later in this talk when presenting our new scheme. What you see here in the last column is the ability to reveal the ephemeral state of a session. The state is to define to contain all secret information that has to be stored by a user between different grounds of a protocol. And most previous work, including the one by Baader et al, did not consider such a strong model, as it comes along with some more difficulties which I will also explain later. At Crypto 2018, Yustin and Jagger proposed a quite efficient variant of the scientific helmet protocol, including a new signature scheme. The security of both the AKE protocol and the signature scheme were proven in the random oracle model, which allows them to get a tight proof. In this work, they also do not consider state reveals. And one year later, at Crypto, con coordinate are provided very practical and efficient if the helmet protocols without signatures, also in the random oracle model. Their proof loses a factor that is linear in the number of users, and this does not tie it. But they also show that this loss is inherent to many protocols using implicit authentication without signatures. The next work of Liu et al presented at Azure Crypt 2020 was a focused on tight AKE in the standard model. The protocol itself is quite efficient, but only assuming the efficient signature scheme by Baader et al. That's why I put the X in brackets here, because the only known signature scheme at this point is the tree based construction by Baader et al. And our work now also revisits their construction by giving a new proof and a signature scheme. In between, there was another work by Jager et al, including myself at Eurogroup this year. This was the first work to consider tight AKE with ephemeral state reveals, but the techniques inherently relied on the random oracle model, which brings me to this work, which combines everything together. Proven in the standard model and with our new signature scheme, it is still quite efficient. We are also the first to consider state reveals in the standard model. And to achieve this, I have to say that we need a non-tight reduction to symmetric primitive, but compensating this loss is still quite efficient, as all reductions to public key components are still tight. So let's dive a bit more into details. Our protocol is a generic construction of basic cryptographic building blocks, and the first one is a camp. Alice, the initiator of the protocol draws a fresh key pair and sends the ephemeral public key to Bob. Bob runs the n-cups algorithm to encapsulate a key, which will then be the session key. He sends the cipher text back to Alice so that she can compute the same key. And note here that in order to do so, she needs to store the secret key until she receives Bob's message. And this is what we call the state. Of course, this protocol does not have any authentication yet, so we add a signature scheme. Alice and Bob both have a secret signing key and a public verification key as a long-term key pair. And now all messages along with the identities are signed. And the session key will only be accepted if the signatures verify correctly. This standard camp signature construction is one of the protocols we analyze in our work. But we also look at a three-round extension of it, in which we add an additional nonce. So now Bob first picks a random nonce, and he initiates the protocol by sending this nonce to Alice. We also included in both signatures, and I will explain why this is useful in a second. So what we need to do now is we need to find out what security we need from the camp. Here we differentiate between the two-round and the three-round protocol. And as I explained in the beginning, in the AKE security experiment, we have many sessions between different users. In each session, there's one new key pair, so we definitely need multi-user security. And looking at the two-round protocol now, as a reminder, the first message consists of the ephemeral public key and a signature on this public key and the identities of Alice and Bob. So the first message is actually valid for any session between Alice and Bob. And in particular, the adversary can replay this message. If this happens, the security experiment has still control over the ciphertext. But we need security for all those sessions, so we need many ciphertext security. And now we can see where the nonce comes into effect. In the three-round protocol, the nonce prevents these replay attacks, as a signature is now only valid for one particular nonce, which allows us to relax the security to single ciphertext security. And now looking at the last message, in both protocols, the adversary can always impersonate a user. That means after receiving the first message with a public key, it can corrupt the user, then choose its own ciphertext and compute a signature. We cannot expect security for such a session, but the adversary can reveal the session key to see if the simulation is correct. So we need to be able to decrypt the ciphertext, and thus we need CCA security. Switching to the signature scheme, each user has a long-term key pair. We have many users, so again we need multi-user security. Users should authenticate each other explicitly, which requires the standard existential unfortunately property. That means that the adversary cannot impersonate a user and send a message or enter signature without also corrupting this user before. Which brings me to the third property. We need to be able to answer these corrupt queries and provide the secret signing keys. So far, I didn't talk about the state reveals, so let's look again at the three-round protocol. As I mentioned before, we define the state as those information that have to be stored between different grounds to compute the session key. So here, the state consists of the ephemeral secret key. But imagine now we give the adversary the ephemeral secret key. Then it can directly compute the session key. And this is considered a non-trivial attack, as the adversary does not even interfere in the protocol execution. So what we need to do is we need to protect the secret key. And we do so by adding a symmetric encryption scheme. Now Alice has an additional symmetric key as long-term key. And more important, she does not store the secret key, but she stores an encryption of it. And after receiving both methods, she can simply decrypt the state and then use the ephemeral secret key as before. Now we can observe that the adversary must know both symmetric long-term key and the state to obtain the ephemeral secret key. So it must corrupt Alice and reveal the state. But this is now a trivial attack against all AKE protocols. So such a session can never be a test session. But it's not as easy as it sounds, in particular when considering kindness. We still need to simulate all sessions correctly. And here we run into another commitment problem we have to solve. In some more detail, after a state reveal, the adversary can choose to either corrupt the user or test the session. And in case of a corruption, the state must decrypt to the correct value, to the correct secret key. But in case of a test query, we want to rely on the fact that the state does not leak anything about the secret key. And all these queries are of course adaptive, so we need to know all ephemeral secret keys that are inside the state. What we then did was we extracted the exact security properties we need from the CAM. And this is where previous work relied on the random oracle model. And in this case here, it was already useful that we could relax the security to sing in ciphertext due to the nonce. And we used this at the basis to come up with a new definition. Our CAM needs an additional algorithm n-cup-star, which takes the secret key instead of a public key to compute a ciphertext and a key. As a first property, we want that this new algorithm n-cup-star is computationally indistinguishable from the original n-cups algorithm. This must hold for many key pairs, even given the secret keys. And as a second property, we need that given a public key, the decapsulated key of an adversely chosen ciphertext. The ciphertext output by n-cups-star and the key output by n-cups-star is statistically indistinguishable from a uniformly random key. Now the question is, how can we construct such a CAM? And we show how to do that generically from a universal to hash proof system. And in particular, we can instantiate it under the matrix decision or the Fiehrmann assumption. And now for the symmetric encryption scheme, it turns out that we only require the standard single key CPA security. This is now all I want to say about the AKE protocol, and I will continue with our second contribution, which is a tightly secure signature scheme. As a reminder, what we need is multi-user existential affordability with corruptions. And all previous schemes were either proven in the random oracle model, or they're used by inefficient tree-based constructions. Bada and I proposed a very efficient scheme, but we found a flaw in their proof. Actually, the scheme is secure in the multi-user setting, but it doesn't support corruptions. But let's look at the idea behind the scheme and also our new scheme. It follows the generic transformation from a tightly secure MAC to a tightly secure signature scheme. And this was first shown for the single-user setting by Blasi, Kils and Pan at Crypto 2014. Then Bada and I extended this to the multi-user setting, and we fixed the scheme and show how to additionally achieve security against corruptions. The problem essentially was that the MAC tag was uniquely defined. And to fix this, we extended techniques that were already used by Langreja and Pan to construct tightly secure HIV. And our resulting scheme is still quite efficient with verification keys consisting of one group element and signatures consisting of five group elements when instantiated under the SXDH assumption in asymmetric pairing groups. So let's conclude the talk and sum up our contributions. We give a new efficient and tight AKE protocol in the standard model. We achieve security in a stronger model than previous work, additionally considering state reveals when we allow a non-tight reduction to the symmetric encryption scheme. And an essential building block for our protocol is a tightly secure signature scheme that also supports corruptions, and we give the first practical construction. For more details, check out our paper on e-print. That's it. And thank you for listening.