Journal of Cryptology

, Volume 30, Issue 3, pp 699–734 | Cite as

Merkle’s Key Agreement Protocol is Optimal: An \(O(n^2)\) Attack on Any Key Agreement from Random Oracles

  • Boaz BarakEmail author
  • Mohammad Mahmoody


We prove that every key agreement protocol in the random oracle model in which the honest users make at most n queries to the oracle can be broken by an adversary who makes \(O(n^2)\) queries to the oracle. This improves on the previous \({\tilde{\Omega }}(n^6)\) query attack given by Impagliazzo and Rudich (STOC ’89) and resolves an open question posed by them. Our bound is optimal up to a constant factor since Merkle proposed a key agreement protocol in 1974 that can be easily implemented with n queries to a random oracle and cannot be broken by any adversary who asks \(o(n^2)\) queries.


Key agreement Random oracle Merkle puzzles 



We thank Russell Impagliazzo for very useful discussions and the anonymous reviewers for their valuable comments.


  1. 1.
    C.H. Bennett , G. Brassard, A.K. Ekert, Quantum cryptography. Sci. Am. 267(4), 50–57 (1992)Google Scholar
  2. 2.
    E. Biham, Y.J. Goren, Y. Ishai, Basing weak public-key cryptography on strong one-way functions, in TCC (Ran Canetti, ed.). Lecture Notes in Computer Science, vol. 4948 (Springer, 2008), pp. 55–72.Google Scholar
  3. 3.
    G. Brassard, P. Høyer, K. Kalach, M. Kaplan, S. Laplante, L. Salvail, Merkle puzzles in a quantum world, in CRYPTO (Phillip Rogaway, ed.). Lecture Notes in Computer Science, vol. 6841 (Springer, 2011), pp. 391–410.Google Scholar
  4. 4.
    Z. Brakerski, J. Katz, G. Segev, A. Yerukhimovich, Limits on the power of zero-knowledge proofs in cryptographic constructions, in TCC (Yuval Ishai, ed.). Lecture Notes in Computer Science, vol. 6597 (Springer, 2011), pp. 559–578.Google Scholar
  5. 5.
    B. Barak, M. Mahmoody-Ghidary, Merkle puzzles are optimal— an O (n \(^2\))-query attack on any key exchange from a random oracle, in CRYPTO (Shai Halevi, ed.). Lecture Notes in Computer Science, vol. 5677 (Springer, 2009), pp. 374–390.Google Scholar
  6. 6.
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in ACM Conference on Computer and Communications Security (1993), pp. 62–73.Google Scholar
  7. 7.
    G. Brassard, L. Salvail, Quantum merkle puzzles, in International Conference on Quantum, Nano and Micro Technologies (ICQNM), IEEE Computer Society (2008), pp. 76–79.Google Scholar
  8. 8.
    R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited. JACM: J. ACM 51(4), 557–594 (2004)Google Scholar
  9. 9.
    R. Cleve, Limits on the security of coin flips when half the processors are faulty (extended abstract), in Annual ACM Symposium on Theory of Computing (Berkeley, California), 28–30 May (1986), pp. 364–369.Google Scholar
  10. 10.
    W. Diffie, M, Hellman, New directions in cryptography. IEEE Trans. Inf. Theory IT-22(6), 644–654 (1976)Google Scholar
  11. 11.
    D. Dachman-Soled, Y. Lindell, M. Mahmoody, T. Malkin, On the black-box complexity of optimally-fair coin tossing, in Y. Ishai, ed. TCC. Lecture Notes in Computer Science, vol. 6597 (Springer, 2011), pp. 450–467.Google Scholar
  12. 12.
    R. Gennaro, Y. Gertner, J. Katz, L. Trevisan, Bounds on the efficiency of generic cryptographic constructions. SIAM J. Comput. 35(1), 217–246 (2005)Google Scholar
  13. 13.
    L.K. Grover, A fast quantum mechanical algorithm for database search, in Annual ACM Symposium on Theory of Computing (STOC), 22–24 May (1996), pp. 212–219.Google Scholar
  14. 14.
    I. Haitner, J.J. Hoch, O. Reingold, G. Segev, Finding collisions in interactive protocols—a tight lower bound on the round complexity of statistically-hiding commitments, in Annual IEEE Symposium on Foundations of Computer Science (FOCS), IEEE (2007), pp. 669–679.Google Scholar
  15. 15.
  16. 16.
    I. Haitner, E. Omri, H. Zarosim, Limits on the usefulness of random oracles, in A. Sahai, ed. Theory of Cryptography, TCC. Lecture Notes in Computer Science, vol. 7785 (Springer, 2013), pp. 437–456.Google Scholar
  17. 17.
    R. Impagliazzo, S. Rudich, Limits on the provable consequences of one-way permutations, in Annual ACM Symposium on Theory of Computing (STOC) (1989). Full version available from Russell Impagliazzo’s home page, pp. 44–61.
  18. 18.
    J. Katz, D. Schröder, A. Yerukhimovich, Impossibility of blind signatures from one-way permutations, in Yuval Ishai, ed. TCC. Lecture Notes in Computer Science, vol. 6597 (Springer, 2011), pp. 615–629.Google Scholar
  19. 19.
    R.C. Merkle, C.S. 244 project proposal (1974).
  20. 20.
    R.C. Merkle, Secure communications over insecure channels. Commun. ACM 21(4), 294–299 (1978)Google Scholar
  21. 21.
    M. Mahmoody, H.K Maji, M. Prabhakaran, Limits of random oracles in secure computation, in Proceedings of the 5th conference on Innovations in theoretical computer science, ACM (2014), pp. 23–34.Google Scholar
  22. 22.
    M. Mahmoody, T. Moran, S.P. Vadhan, Time-lock puzzles in the random oracle model, in P. Rogaway, ed. CRYPTO. Lecture Notes in Computer Science, vol. 6841 (Springer, 2011), pp. 39–50.Google Scholar
  23. 23.
    M. Mahmoody, R, Pass, The curious case of non-interactive commitments—on the power of black-box vs. non-black-box use of primitives, in R. Safavi-Naini, R. Canetti, eds. CRYPTO. Lecture Notes in Computer Science, vol. 7417 (Springer, 2012), pp. 701–718.Google Scholar
  24. 24.
    R.L. Rivest, A. Shamir, L.M. Adleman, A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)Google Scholar
  25. 25.
    O. Reingold, L. Trevisan, S.P. Vadhan, Notions of reducibility between cryptographic primitives, in M. Naor, ed. TCC. Lecture Notes in Computer Science, vol. 2951 (Springer, 2004), pp. 1–20.Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Harvard John A. Paulson School of Engineering and Applied SciencesHarvard UniversityCambridgeUSA
  2. 2.University of VirginiaCharlottesvilleUSA

Personalised recommendations