# Merkle’s Key Agreement Protocol is Optimal: An \(O(n^2)\) Attack on Any Key Agreement from Random Oracles

- 310 Downloads
- 3 Citations

## Abstract

We prove that every key agreement protocol in the random oracle model in which the honest users make at most *n* queries to the oracle can be broken by an adversary who makes \(O(n^2)\) queries to the oracle. This improves on the previous \({\tilde{\Omega }}(n^6)\) query attack given by Impagliazzo and Rudich (STOC ’89) and resolves an open question posed by them. Our bound is optimal up to a constant factor since Merkle proposed a key agreement protocol in 1974 that can be easily implemented with *n* queries to a random oracle and cannot be broken by any adversary who asks \(o(n^2)\) queries.

## Keywords

Key agreement Random oracle Merkle puzzles## Notes

### Acknowledgments

We thank Russell Impagliazzo for very useful discussions and the anonymous reviewers for their valuable comments.

## References

- 1.C.H. Bennett , G. Brassard, A.K. Ekert, Quantum cryptography.
*Sci. Am.***267**(4), 50–57 (1992)Google Scholar - 2.E. Biham, Y.J. Goren, Y. Ishai, Basing weak public-key cryptography on strong one-way functions, in TCC (Ran Canetti, ed.). Lecture Notes in Computer Science, vol. 4948 (Springer, 2008), pp. 55–72.Google Scholar
- 3.G. Brassard, P. Høyer, K. Kalach, M. Kaplan, S. Laplante, L. Salvail, Merkle puzzles in a quantum world, in CRYPTO (Phillip Rogaway, ed.). Lecture Notes in Computer Science, vol. 6841 (Springer, 2011), pp. 391–410.Google Scholar
- 4.Z. Brakerski, J. Katz, G. Segev, A. Yerukhimovich, Limits on the power of zero-knowledge proofs in cryptographic constructions, in TCC (Yuval Ishai, ed.). Lecture Notes in Computer Science, vol. 6597 (Springer, 2011), pp. 559–578.Google Scholar
- 5.B. Barak, M. Mahmoody-Ghidary, Merkle puzzles are optimal— an O (n \(^2\))-query attack on any key exchange from a random oracle, in CRYPTO (Shai Halevi, ed.). Lecture Notes in Computer Science, vol. 5677 (Springer, 2009), pp. 374–390.Google Scholar
- 6.M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in
*ACM Conference on Computer and Communications Security*(1993), pp. 62–73.Google Scholar - 7.G. Brassard, L. Salvail, Quantum merkle puzzles, in
*International Conference on Quantum, Nano and Micro Technologies (ICQNM), IEEE Computer Society*(2008), pp. 76–79.Google Scholar - 8.R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited.
*JACM: J. ACM***51**(4), 557–594 (2004)Google Scholar - 9.R. Cleve, Limits on the security of coin flips when half the processors are faulty (extended abstract), in
*Annual ACM Symposium on Theory of Computing (Berkeley, California)*, 28–30 May (1986), pp. 364–369.Google Scholar - 10.W. Diffie, M, Hellman, New directions in cryptography.
*IEEE Trans. Inf. Theory***IT-22**(6), 644–654 (1976)Google Scholar - 11.D. Dachman-Soled, Y. Lindell, M. Mahmoody, T. Malkin, On the black-box complexity of optimally-fair coin tossing, in Y. Ishai, ed.
*TCC*. Lecture Notes in Computer Science, vol. 6597 (Springer, 2011), pp. 450–467.Google Scholar - 12.R. Gennaro, Y. Gertner, J. Katz, L. Trevisan, Bounds on the efficiency of generic cryptographic constructions.
*SIAM J. Comput.***35**(1), 217–246 (2005)Google Scholar - 13.L.K. Grover, A fast quantum mechanical algorithm for database search, in
*Annual ACM Symposium on Theory of Computing (STOC)*, 22–24 May (1996), pp. 212–219.Google Scholar - 14.I. Haitner, J.J. Hoch, O. Reingold, G. Segev, Finding collisions in interactive protocols—a tight lower bound on the round complexity of statistically-hiding commitments, in
*Annual IEEE Symposium on Foundations of Computer Science (FOCS), IEEE*(2007), pp. 669–679.Google Scholar - 15.T. Holenstein, Complexity theory (2015). http://www.complexity.ethz.ch/education/Lectures/ComplexityFS15/skript_printable.pdf
- 16.I. Haitner, E. Omri, H. Zarosim, Limits on the usefulness of random oracles, in A. Sahai, ed.
*Theory of Cryptography, TCC*. Lecture Notes in Computer Science, vol. 7785 (Springer, 2013), pp. 437–456.Google Scholar - 17.R. Impagliazzo, S. Rudich, Limits on the provable consequences of one-way permutations, in
*Annual ACM Symposium on Theory of Computing (STOC)*(1989). Full version available from Russell Impagliazzo’s home page https://cseweb.ucsd.edu/~russell/secret.ps, pp. 44–61. - 18.J. Katz, D. Schröder, A. Yerukhimovich, Impossibility of blind signatures from one-way permutations, in Yuval Ishai, ed.
*TCC*. Lecture Notes in Computer Science, vol. 6597 (Springer, 2011), pp. 615–629.Google Scholar - 19.R.C. Merkle, C.S. 244 project proposal (1974). http://merkle.com/1974/
- 20.R.C. Merkle, Secure communications over insecure channels.
*Commun. ACM***21**(4), 294–299 (1978)Google Scholar - 21.M. Mahmoody, H.K Maji, M. Prabhakaran, Limits of random oracles in secure computation, in
*Proceedings of the 5th conference on Innovations in theoretical computer science, ACM*(2014), pp. 23–34.Google Scholar - 22.M. Mahmoody, T. Moran, S.P. Vadhan, Time-lock puzzles in the random oracle model, in P. Rogaway, ed.
*CRYPTO*. Lecture Notes in Computer Science, vol. 6841 (Springer, 2011), pp. 39–50.Google Scholar - 23.M. Mahmoody, R, Pass, The curious case of non-interactive commitments—on the power of black-box vs. non-black-box use of primitives, in R. Safavi-Naini, R. Canetti, eds.
*CRYPTO*. Lecture Notes in Computer Science, vol. 7417 (Springer, 2012), pp. 701–718.Google Scholar - 24.R.L. Rivest, A. Shamir, L.M. Adleman, A method for obtaining digital signatures and public-key cryptosystems.
*Commun. ACM***21**(2), 120–126 (1978)Google Scholar - 25.O. Reingold, L. Trevisan, S.P. Vadhan, Notions of reducibility between cryptographic primitives, in M. Naor, ed.
*TCC*. Lecture Notes in Computer Science, vol. 2951 (Springer, 2004), pp. 1–20.Google Scholar