The set of subalgebras of an algebra 𝐀 is closed under intersections. If B ⊆ A and for every basic operator f of the type, f 𝐀 | B = f 𝐁, then 𝐁 is a subalgebra of 𝐀. Let 𝐀 = ( A, F A ) and 𝐁 = ( B, F B ) be algebras of the same type. The set A of an algebra 𝐀 = ( A, F ) isĬalled the underlying set (or the universe) of 𝐀.Īn algebra 𝐀 = ( A, F ) is finite if A is a finite set. Its underlying mathematical structure is a cyclic group G = 〈 g 〉, where g is a known generator.Īlice and Bob choose secret elements a, b ∈ ) and often τ ( f 1 ) ≥ τ ( f 2 ) ≥ ⋯ ≥ τ ( f n ).
The Diffie–Hellman key exchange scheme, conceptualized by Merkle, is one of the most utilized public-key protocols and an integral part of many communication standards. Such schemes enable two parties to derive a common secret key using a public channel. In addition, we present a brief survey on the algebraic properties of existing key exchange schemes and identify the source of commutativity and the family of underlying algebraic structures for each scheme.Ĭryptographic key exchange is an essential part of modern communication. We also show that a symmetric encryption scheme possessing homomorphic properties over some algebraic operation can be turned into a public-key primitive with the AGDH, provided that the operation is complex enough. We formulate the underlying computational problems in the framework of average-case complexity and show that the scheme is secure if the problem of computing images under an unknown homomorphism is infeasible. We suggest an algebraically generalized Diffie–Hellman scheme (AGDH) that, in general, enables the application of any algebra as the platform for key exchange. Therefore, new key exchange schemes have been sought to prepare for the time when quantum computing becomes a reality.Īlgebraically, these schemes need to provide some sort of commutativity to enable Alice and Bob to derive a common key on a public channel while keeping it computationally difficult for the adversary to deduce the derived key. The DLP can be solved in polynomial time for any cyclic group in the quantum computation model. Its underlying algebraic structure is a cyclic group and its security is based on the discrete logarithm problem (DLP). We complete the picture by showing a simple and safe alternative definition of function \(F_k(x)\) which offers (full) UC OPRF security using either form of blinding.The Diffie–Hellman key exchange scheme is one of the earliest and most widely used public-key primitives. The conclusion is that usage of multiplicative blinding for \(F_k(x)\) defined as above, in settings where correct value \(g^k\) (needed for multiplicative blinding) is not authenticated, and OPRF inputs are of low entropy, must be carefully analyzed, or avoided all together. Unfortunately, we also show examples of other OPRF applications which become insecure when using such blinding. On the positive side, we show that the Correlated OPRF suffices for the security of OPAQUE, the asymmetric PAKE protocol, hence allowing OPAQUE the computational advantages of multiplicative blinding.
We characterize the security of this OPRF implementation as a “Correlated OPRF” functionality, a relaxation of UC OPRF functionality used in prior work. We analyze the security of the above OPRF with multiplicative blinding, showing surprising weaknesses that offer attack avenues which are not present using exponential blinding. However, this protocol requires two variable-base exponentiations on the client, while a more efficient multiplicative blinding scheme replaces one or both client exponentiations with fixed-base exponentiation, leading to the decrease of the client’s computational cost by a factor between two to six, depending on pre-computation. the client sends \(a=(H_1(x))^r\) for random r, the server responds \(b=a^k\), which the client unblinds as \(v=b^\) to compute \(F_k(x)=H_2(x,v)\). OPRF’s have found diverse applications as components of larger protocols, and the currently most efficient instantiation, with security proven in the UC model, is \(F_k(x)=H_2(x,(H_1(x))^k)\) computed using so-called exponential blinding, i.e. At the end, the client learns \(F_k(x)\) and nothing else while the server learns nothing. Oblivious Pseudorandom Function (OPRF) is a protocol between a client holding input x and a server holding key k for a PRF F.
ONLINE DIFFIE HELLMAN CALCULATOR SERIES
Book series (LNCS, volume 12711) Abstract
0 kommentar(er)
