# Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange

@inproceedings{Gjsteen2018PracticalAT, title={Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange}, author={Kristian Gj{\o}steen and Tibor Jager}, booktitle={IACR Cryptol. ePrint Arch.}, year={2018} }

Tight security is increasingly gaining importance in real-world cryptography, as it allows to choose cryptographic parameters in a way that is supported by a security proof, without the need to sacrifice efficiency by compensating the security loss of a reduction with larger parameters. However, for many important cryptographic primitives, including digital signatures and authenticated key exchange (AKE), we are still lacking constructions that are suitable for real-world deployment.

## 41 Citations

Tightly Secure Two-Pass Authenticated Key Exchange Protocol in the CK Model

- Computer Science, MathematicsCT-RSA
- 2020

Tightly secure authenticated key exchange (AKE), whose security is independent from the number of users and sessions (tight security), has been studied by Bader et al. [TCC 2015] and Gjosteen-Jager…

Tightly-Secure Authenticated Key Exchange, Revisited

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

We introduce new tightly-secure authenticated key exchange (AKE) protocols that are extremely efficient, yet have only a constant security loss and can be instantiated in the random oracle model both…

Authenticated Key Exchange and Signatures with Tight Security in the Standard Model

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

This work identifies a subtle gap in the security proof of the only previously known efficient standard model scheme by Bader et al. (TCC 2015), and develops a new variant, which yields the currently most efficient signature scheme that achieves this strong security notion without random oracles and based on standard hardness assumptions.

On the General Construction of Tightly Secure Identity-Based Signature Schemes

- Computer Science, MathematicsComput. J.
- 2020

This paper combines two known signature schemes, providing the possibility of achieving tight security for IBS schemes in the random oracle model, and presents an efficient IBS scheme with tight security as an example.

Signed Diffie-Hellman Key Exchange with Tight Security

- Computer Science, MathematicsCT-RSA
- 2021

The first tight security proof for the ordinary two-message signed Diffie-Hellman key exchange protocol in the random oracle model is proposed and the tightness result is proven in the “Single-BitGuess” model which the authors know can be tightly composed with symmetric cryptographic primitives to establish a secure channel.

Hierarchical Identity-Based Encryption with Tight Multi-Challenge Security

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

We construct the first hierarchical identity-based encryption (HIBE) scheme with tight adaptive security in the multi-challenge setting, where adversaries are allowed to ask for ciphertexts for…

Tight reduction for generic construction of certificateless signature and tightly-secure scheme without pairing

- Computer Science, Mathematics
- 2019

It is shown that their construction can achieve tight security if the underlying signature scheme is existentially unforgeable under adaptive chosen-message attacks in the multi-user setting with adaptive corruptions.

Tightly-secure two-pass authenticated key exchange protocol using twin Diffie-Hellman problem

- Computer Science, MathematicsIET Inf. Secur.
- 2020

This study proposes a tightly-secure two-pass AKE protocol that uses the twin Diffie–Hellman problem and the ‘re-patch’ trick of random oracles to construct a tight security reduction for their protocol, and provides several security properties such as key-compromise-impersonation security, unknown-key-share security, and weak perfect forward secrecy.

Signed (Group) Diffie-Hellman Key Exchange with Tight Security

- Computer Science, Mathematics
- 2021

The first tight security proof for the ordinary two-message signed Diffie-Hellman key exchange protocol in the random oracle model is proposed and the tightness result is proven in the “Single-Bit-Guess” model which the authors know can be tightly composed with symmetric cryptographic primitives to establish a secure channel.

Two-Pass Authenticated Key Exchange with Explicit Authentication and Tight Security

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

This work proposes a generic construction of 2-pass authenticated key exchange (AKE) scheme with explicit authentication from key encapsulation mechanism (KEM) and signature (SIG) schemes and defines a new security notion named “IND-mCPA with adaptive reveals” for KEM.

## References

SHOWING 1-10 OF 49 REFERENCES

Multi-key Authenticated Encryption with Corruptions: Reductions Are Lossy

- Computer Science, MathematicsTCC
- 2017

By appropriate settings of the parameters of the framework, multi-key variants of many of the existing single-key security notions are obtained.

One-Round Key Exchange with Strong Security: An Efficient and Generic Construction in the Standard Model

- Computer Science, MathematicsPublic Key Cryptography
- 2015

One-round authenticated key exchange (ORKE) is an established research area, with many prominent protocol constructions like HMQV and Naxos, and many slightly different, strong security models.

Tightly-Secure Authenticated Key Exchange

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2014

This work constructs the first Authenticated Key Exchange (AKE) protocol whose security does not degrade with an increasing number of users or sessions and proves security in an enhanced version of the classical Bellare-Rogaway security model.

Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels

- Computer Science, MathematicsEUROCRYPT
- 2001

A formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that allows for simple modular proofs of security is presented.

(Hierarchical) Identity-Based Encryption from Affine Message Authentication

- Computer Science, MathematicsCRYPTO
- 2014

This work provides a generic transformation from any affine message authentication code (MAC) to an identity-based encryption (IBE) scheme over pairing groups of prime order and shows how to construct affine MACs with a tight security reduction to standard assumptions, providing the first tightly secure IBE in the standard model.

Tightly secure signatures and public-key encryption

- Computer Science, MathematicsDes. Codes Cryptogr.
- 2012

We construct the first public-key encryption (PKE) scheme whose chosen-ciphertext (i.e., IND-CCA) security can be proved under a standard assumption and does not degrade in either the number of users…

On Formal Models for Secure Key Exchange

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 1999

A new formal security model for session key exchange protocols in the public key setting is proposed, and several eecient protocols are analyzed in this model. The relationship between this new model…

Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements

- Computer Science, MathematicsEUROCRYPT
- 2000

It is proved that security in the single-user setting implies security inThe multi- user setting as long as the former is interpreted in the strong sense of "indistinguishability," thereby pin-pointing many schemes guaranteed to be secure against Hastad-type attacks.

Entity Authentication and Key Distribution

- Computer Science, MathematicsCRYPTO
- 1993

This work provides the first formal treatment of entity authentication and authenticated key distribution appropriate to the distributed environment and presents a definition, protocol, and proof that the protocol meets its goal, assuming only the existence of a pseudorandom function.

Efficient Signatures with Tight Real World Security in the Random-Oracle Model

- Computer Science, MathematicsCANS
- 2014

This paper proposes an efficient signature scheme whose security reduction in the above setting is tight and when 80 bits of security are required the authors' signatures are of size roughly 2700 bits.