Common use of Our Contributions Clause in Contracts

Our Contributions. In this work, we present a provably secure and minimal cost SAS-AKA scheme which re-uses public key pairs across protocol ses- sions and thus presents a lower-cost but non-PFS alternative to the perfect-forward secret SAS-AKA protocols of [9, 11]. Our SAS-AKA relies on a non-malleable com- mitments just like the SAS-AKA schemes of [19, 8, 11], but unlike the previous schemes it is built directly on CCA-secure encryption, and it relies on encryption not just for key-establishment but also for authentication security. As a consequence, the new SAS-AKA is somewhat simpler than the previous SAS-AKA’s which were built on top of the three-round SAS-MCA’s of [8, 11], and in particular it does not need to use universal hash functions.3 However, the most important contribution of the new SAS-AKA scheme is that it remains secure if each player uses a perma- nent public key, and hence shares a state across all protocol sessions it executes. This leads to two minimal-cost 3-round non-PFS SAS-AKA protocols where the same public/private key pair or the same ▇▇▇▇▇▇-▇▇▇▇▇▇▇ random contribution is re- used across protocol instances. Specifically, when instantiated with the hash-based commitment and the CCA-secure OAEP-RSA, this implies a 3-round SAS-AKA 3On the other hand, it might help to clarify that even though our SAS-AKA protocol implies also a new SAS-MCA scheme, we do not claim that our scheme is interesting as SAS-MCA, because it relies on a public-key encryption and is therefore much more expensive than the SAS- MCA’s of [8, 11] which can be implemented using only symmetric-key cryptography, at least in ROM. protocol secure under the RSA assumption in ROM, with the cost of a single RSA encryption for the responder and a single RSA decryption for the initiator. When instantiated with the randomness-reusing CCA-secure version of ElGamal [3] this implies a 3-round SAS-AKA protocol secure under the DH assumption in ROM, with the cost of one exponentiation per player. In other words, the costs of the SAS- AKA protocols implied by our result are (for the first time) essentially the same as the costs of the corresponding basic unauthenticated key agreement protocols. By contrast, previously known PFS SAS-AKA protocols require two exponentiations per player if they are based on DH [11, 9] or a generation of fresh public/private RSA key pair for each protocol instance if the general result of [11] is instantiated with an RSA-based key agreement. We note that the SAS-MCA/AKA protocol we show secure is very similar to the SAS-AKA protocols of [19, 8, 11], and it is indeed only a new variant of the same three-round commitment-based SAS-MA protocol analyzed in [19], which also forms a starting point for protocols of [8, 11]. However, prior to our work there was no argument that such SAS-AKA scheme remains secure when players re-use their public/private key pairs across multiple sessions. Moreover, as we explain above, it is unlikely that such result can be proven using a modular argument similar to the one used by [11] for KA protocols that do not keep state between protocol instances, which is also why our analysis of the proposed protocol proceeds “from scratch” rather than proceeding in a modular fashion based on already known properties of ▇▇▇▇▇▇▇▇’s SAS-MA scheme. Secondly, our analysis shows that the SAS-AKA protocol can be simpler than even a standard encryption-based (and ke-reusing) KA protocol executed over the 3-round SAS-MCA protocol of [8] or [11]. In fact, our protocol consists of a single instance of the basic unidirectional SAS-MA scheme of [19], shown in Figure 1, which authenticates only the initiator’s message, but this message includes the initiator’s (long-term) public key, which the responder uses to encrypt its message. It turns out that this encryption not only transforms this protocol to a SAS-AKA scheme but also authenticates responder’s message, thus yielding not just a cheaper but also a simpler three-round SAS-AKA protocol.

Our Contributions. In this work, we present a provably secure and minimal cost SAS-AKA scheme which re-uses public key pairs across protocol ses- sions sessions and thus presents a lower-cost but non-PFS alternative to the perfect-forward secret SAS-AKA protocols of [9, 1110,12]. Our SAS-AKA relies on a non-malleable com- mitments commitments just like the SAS-AKA schemes of [19, 8, 1120,9,12], but unlike the previous schemes it is built directly on CCA-secure encryption, and it relies on encryption not just for key-establishment but also for authentication securityse- curity. As a consequence, the new SAS-AKA is somewhat simpler than the previous SAS-AKA’s which were built on top of the three-round SAS-MCA’s of [8, 119,12], and in particular it does not need to use universal hash functions.3 functions. However, the most important impor- tant contribution of the new SAS-AKA scheme is that it remains secure if each player uses a perma- nent permanent public key, and hence shares a state across all protocol sessions it executes. This leads to two minimal-cost 3-round non-PFS SAS-AKA protocols where the same public/private key pair or the same ▇▇▇▇▇▇-▇▇▇▇▇▇▇ random contribution is re- re-used across protocol instances. Specifically, when instantiated with the hash-based commitment and the CCA-secure OAEP-RSA, this implies a 3-round SAS-AKA 3On the other hand, it might help to clarify that even though our SAS-AKA protocol implies also a new SAS-MCA scheme, we do not claim that our scheme is interesting as SAS-MCA, because it relies on a public-key encryption and is therefore much more expensive than the SAS- MCA’s of [8, 11] which can be implemented using only symmetric-key cryptography, at least in ROM. protocol pro- tocol secure under the RSA assumption in ROM, with the cost of a single RSA encryption encryp- tion for the responder and a single RSA decryption for the initiator. When instantiated with the randomness-reusing CCA-secure version of ElGamal [3] this implies a 3-round SAS-AKA protocol secure under the DH assumption in ROM, with the cost of one exponentiation ex- ponentiation per player. In other words, the costs of the SAS- SAS-AKA protocols implied by our result are (for the first time) essentially the same as the costs of the corresponding correspond- ing basic unauthenticated key agreement protocols. By contrast, previously known PFS SAS-AKA protocols require two exponentiations per player if they are based on DH [11, 912,10] or a generation of fresh public/private RSA key pair for each protocol instance if the general result of [1112] is instantiated with an RSA-based key agreement. We note that the SAS-MCA/AKA protocol we show secure is very similar to the SAS-AKA protocols of [19, 8, 1120,9,12], and it is indeed only a new variant of the same three-three- round commitment-based SAS-MA protocol analyzed in [1920], which also forms a starting start- ing point for protocols of [8, 119,12]. However, prior to our work there was no argument that such SAS-AKA scheme remains secure when players re-use their public/private key pairs across multiple sessions. Moreover, as we explain above, it is unlikely that such result can be proven using a modular argument similar to the one used by [1112] for KA protocols that do not keep state between protocol instances, which is also why our analysis of the proposed protocol proceeds “from scratch” rather than proceeding proceed- ing in a modular fashion based on already known properties of ▇▇▇▇▇▇▇▇’s SAS-MA scheme. Secondly, our analysis shows that the SAS-AKA protocol can be simpler than even a standard encryption-based (and ke-reusing) KA protocol executed over the 3-round SAS-MCA protocol of [89] or [1112]. In fact, our protocol consists of a single instance of the basic unidirectional SAS-MA scheme of [1920], shown in Figure 1, which authenticates only the initiator’s message, but this message includes the initiator’s (long-term) public key, which the responder uses to encrypt its message. It turns out that this encryption not only transforms this protocol to a SAS-AKA scheme but also authenticates responder’s message, thus yielding not just a cheaper but also a simpler three-round SAS-AKA protocol.