International Association for Cryptologic Research

International Association
for Cryptologic Research


Arash Afshar


Fine-Grained Non-Interactive Key-Exchange: Constructions and Lower Bounds
In 1974, Merkle showed that an ideal hash function (modeled as a random oracle) can be used between two parties to agree on a key that remains \emph{mildly} secure against adversaries whose running time is quadratic in those of honest parties. Shortly after, Diffie and Hellman improved this idea to a full-fledged key exchange protocol that is conjectured to be secure against super-polynomial adversaries. Both of these protocols have a crucial aspect in common: they are \emph{non-interactive}, as parties send their single message in parallel, and then they use their secret randomness and the public messages to derive the common key. Constructing $K$-NIKE protocols on well-founded assumptions turned out to be much challenging for $K>2$. For $K=3$ one can do this based on pairing-based assumptions, and for $K>3$ even stronger assumptions such as indistinguishability obfuscations have been used. In this work, we initiate a study of $K$-NIKE protocols in the \emph{fine-grained} setting, in which there is a \emph{polynomial} gap between the running time of the honest parties and that of the adversary. Our goal is to show the possibility, or impossibility, of basing such protocols on weaker assumptions than those of $K$-NIKE protocols for $K \geq 3$. Our contribution is threefold. 1. We show that random oracles can be used to obtain fine-grained $K$-NIKE protocols for \emph{every} constant $K$. In particular, we show how to generalize Merkle's two-party protocol to $K$ parties in such a way that the honest parties ask $n$ queries each, while the adversary needs $n^{K/(K-1)}$ queries to the random oracle to find the key. 2. We then improve the security by further using algebraic structure, while avoiding pairing. In particular, we show that there is a 4-party NIKE in Shoup's generic group model with a \emph{quadratic} gap between the number of queries by the honest parties vs. that of the adversary. 3. Finally, we show a limitation of using purely algebraic methods for obtaining $3$-NIKE. In particular, we show that any $n$-query $3$-NIKE protocol in Maurer's generic group model can be broken by a $O(n^2)$-query attacker. Maurer's GGM is more limited compared with Shoup's both for the parties and the adversary, as there are no explicit labels for the group elements. Despite being more limited, this model still captures the Diffie Hellman protocol. Prior to our work, it was open to break $3$-NIKE protocols in Maurer's model with \emph{any} polynomial number of queries. Our work leaves open to understand the optimality of our $K$-NIKE protocol in the random oracle model, which we conjecture to be optimal, and also to close the gap between our positive result in Shoup's model and the negative result in Maurer's model.
On the (Im)possibility of Time-Lock Puzzles in the Quantum Random Oracle Model
Time-lock puzzles wrap a solution s inside a puzzle P in such a way that “solving” P to find s requires significantly more time than generating the pair (s, P), even if the adversary has access to parallel computing; hence it can be thought of as sending a message s to the future. It is known [Mahmoody, Moran, Vadhan, Crypto’11] that when the source of hardness is only a random oracle, then any puzzle generator with n queries can be (efficiently) broken by an adversary in O(n) rounds of queries to the oracle. In this work, we revisit time-lock puzzles in a quantum world by allowing the parties to use quantum computing and, in particular, access the random oracle in quantum superposition. An interesting setting is when the puzzle generator is efficient and classical, while the solver (who might be an entity developed in the future) is quantum-powered and is supposed to need a long sequential time to succeed. We prove that in this setting there is no construction of time-lock puzzles solely from quantum (accessible) random oracles. In particular, for any n-query classical puzzle generator, our attack only asks O(n) (also classical) queries to the random oracle, even though it does indeed run in quantum polynomial time if the honest puzzle solver needs quantum computing. Assuming perfect completeness, we also show how to make the above attack run in exactly n rounds while asking a total of m · n queries where m is the query complexity of the puzzle solver. This is indeed tight in the round complexity, as we also prove that a classical puzzle scheme of Mahmoody et al. is also secure against quantum solvers who ask n−1 rounds of queries. In fact, even for the fully classical case, our attack quantitatively improves the total queries of the attack of Mahmoody et al. for the case of perfect completeness from O(mn log n) to mn. Finally, assuming perfect completeness, we present an attack in the “dual” setting in which the puzzle generator is quantum while the solver is classical. We then ask whether one can extend our classical-query attack to the fully quantum setting, in which both the puzzle generator and the solver could be quantum. We show a barrier for proving such results unconditionally. In particular, we show that if the folklore simulation conjecture, first formally stated by Aaronson and Ambainis [arXiv’2009] is false, then there is indeed a time-lock puzzle in the quantum random oracle model that cannot be broken by classical adversaries. This result improves the previous barrier of Austrin et. al [Crypto’22] about key agreements (that can have interactions in both directions) to time-lock puzzles (that only include unidirectional communication).