# Another Look at Tightness II: Practical Issues in Cryptography

## Abstract

How to deal with large tightness gaps in security proofs is a vexing issue in cryptography. Even when analyzing protocols that are of practical importance, leading researchers often fail to treat this question with the seriousness that it deserves. We discuss nontightness in connection with complexity leveraging, HMAC, lattice-based cryptography, identity-based encryption, and hybrid encryption.

## Notes

### Acknowledgments

We wish to thank Greg Zaverucha for extensive help with Appendix B as well as useful comments on the other sections, Michael Naehrig for reviewing and commenting on Sect. 5, Somindu C. Ramanna for providing helpful comments on an earlier draft of Sect. 6, Ann Hibner Koblitz for editorial suggestions, and Ian Blake, Eike Kiltz, and Chris Peikert for helpful feedback and suggestions. Of course, none of them is responsible for any of the opinions expressed in this article.

## References

- 1.Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time via discrete Gaussian sampling. In: Proceedings of the 47th Annual Symposium Foundations of Computer Science, pp. 733–742 (2015)Google Scholar
- 2.Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings of the 28th Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM (1996)Google Scholar
- 3.Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: Proceedings of the 29th Annual ACM Symposium on Theory of Computing, pp. 284–293. ACM (1997)Google Scholar
- 4.Albrecht, M., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol.
**9**, 169–203 (2015)MathSciNetCrossRefzbMATHGoogle Scholar - 5.Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Proceeding of the 25th USENIX Security Symposium, pp. 327–343 (2016)Google Scholar
- 6.ANSI X9.98: Lattice-Based Polynomial Public Key Establishment Algorithm for the Financial Services Industry, Part 1: Key Establishment, Part 2: Data Encryption (2010)Google Scholar
- 7.Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22006-7_34 CrossRefGoogle Scholar
- 8.Attrapadung, N., Furukawa, J., Gomi, T., Hanaoka, G., Imai, H., Zhang, R.: Efficient identity-based encryption with tight security reduction. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 19–36. Springer, Heidelberg (2006). doi: 10.1007/11935070_2 CrossRefGoogle Scholar
- 9.Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55220-5_1 CrossRefGoogle Scholar
- 10.Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). doi: 10.1007/11693383_22 CrossRefGoogle Scholar
- 11.Bellare, M.: Practice-oriented provable-security. In: Damgård, I.B. (ed.) EEF School 1998. LNCS, vol. 1561, pp. 1–15. Springer, Heidelberg (1999). doi: 10.1007/3-540-48969-X_1 CrossRefGoogle Scholar
- 12.Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006). doi: 10.1007/11818175_36 CrossRefGoogle Scholar
- 13.Bellare, M.: email to N. Koblitz, 24 February 2012Google Scholar
- 14.Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. J. Cryptol.
**28**, 844–878 (2015)MathSciNetCrossRefzbMATHGoogle Scholar - 15.Bellare, M., Bernstein, D.J., Tessaro, S.: Hash-function based PRFs: AMAC and its multi-user security. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 566–595. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49890-3_22 CrossRefGoogle Scholar
- 16.Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_18. https://cseweb.ucsd.edu/~mihir/papers/musu.html CrossRefGoogle Scholar
- 17.Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_1 Google Scholar
- 18.Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: the cascade construction and its concrete security. In: Proceedings of the 37th Annual Symposium Foundations of Computer Science, pp. 514–523 (1996). http://cseweb.ucsd.edu/users/mihir/papers/cascade.pdf
- 19.Bellare, M., Canetti, R., Krawczyk, H.: HMAC: keyed-hashing for message authentication, Internet RFC 2104 (1997)Google Scholar
- 20.Bernstein, D.: Multi-user Schnorr security, revisited. http://eprint.iacr.org/2015/996.pdf
- 21.Blömer, J., Seifert, J.: On the complexity of computing short linearly independent vectors and short bases in a lattice. In: Proceedings of the 31st Annual ACM Symposium on Theory of Computing, pp. 711–720. ACM (1999)Google Scholar
- 22.Boldyreva, A.: Strengthening security of RSA-OAEP. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 399–413. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00862-7_27 CrossRefGoogle Scholar
- 23.Boneh, D., Boyen, X.: Efficient selective-ID secure identity based encryption without random oracles. http://eprint.iacr.org/2004/172.pdf
- 24.Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. SIAM J. Comput.
**32**, 586–615 (2003)MathSciNetCrossRefzbMATHGoogle Scholar - 25.Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-42045-0_15 CrossRefGoogle Scholar
- 26.Bos, J., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy, pp. 553–570 (2015)Google Scholar
- 27.Chatterjee, S., Menezes, A., Sarkar, P.: Another look at tightness. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 293–319. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28496-0_18 CrossRefGoogle Scholar
- 28.Chen, L.: Recommendation for key derivation using pseudorandom functions (revised), NIST SP 800–108 (2009)Google Scholar
- 29.Chen, L.: Recommendation for key derivation through extraction-then-expansion, NIST SP 800–56C (2011)Google Scholar
- 30.Coppersmith, D.: Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theory
**30**, 587–594 (1984)MathSciNetCrossRefzbMATHGoogle Scholar - 31.Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). doi: 10.1007/BFb0055717 CrossRefGoogle Scholar
- 32.Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput.
**33**, 167–226 (2003)MathSciNetCrossRefzbMATHGoogle Scholar - 33.Dang, Q.: Recommendation for applications using approved hash algorithms, NIST SP 800–107 (2012)Google Scholar
- 34.Dierks, T., Allen, C.: The TLS protocol, Internet RFC 2246 (1999)Google Scholar
- 35.Fuchsbauer, G.: Constrained verifiable random functions. In: Abdalla, M., Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 95–114. Springer, Cham (2014). doi: 10.1007/978-3-319-10879-7_7 Google Scholar
- 36.Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_34 CrossRefGoogle Scholar
- 37.Galbraith, S., Malone-Lee, J., Smart, N.: Public key signatures in the multi-user setting. Inf. Process. Lett.
**83**, 263–266 (2002)MathSciNetCrossRefzbMATHGoogle Scholar - 38.Galindo, D.: Boneh-Franklin identity based encryption revisited. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 791–802. Springer, Heidelberg (2005). doi: 10.1007/11523468_64 CrossRefGoogle Scholar
- 39.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. http://eprint.iacr.org/2013/451.pdf
- 40.Gaži, P., Pietrzak, K., Rybár, M.: The exact PRF-security of NMAC and HMAC. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 113–130. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44371-2_7 CrossRefGoogle Scholar
- 41.Goldreich, O., Goldwasser, S.: On the limits of nonapproximability of lattice problems. J. Comput. Syst. Sci.
**60**, 540–563 (2000)MathSciNetCrossRefzbMATHGoogle Scholar - 42.Goldwasser, S., Bellare, M.: Lecture Notes on Cryptography, July 2008. http://cseweb.ucsd.edu/mihir/papers/gb.pdf
- 43.Goldwasser, S., Kalai, Y.: Cryptographic assumptions: a position paper. http://eprint.iacr.org/2015/907.pdf
- 44.Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci.
**28**, 270–299 (1984)MathSciNetCrossRefzbMATHGoogle Scholar - 45.Harkins, D., Carrel, D.: The internet key exchange (IKE), Internet RFC 2409 (1998)Google Scholar
- 46.Hoffstein, J., Howgrave-Graham, N., Pipher, J., Whyte, W.: Practical lattice-based cryptography: NTRUEncrypt and NTRUSign. In: Vallée, B., Nguyen, P.Q. (eds.) The LLL Algorithm, pp. 349–390. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-02295-1_11 Google Scholar
- 47.Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). doi: 10.1007/BFb0054868 CrossRefGoogle Scholar
- 48.IEEE 1363.1: Standard Specification for Public Key Cryptographic Techniques Based on Hard Problems over Lattices (2008)Google Scholar
- 49.Katz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman and Hall/CRC, London (2007)zbMATHGoogle Scholar
- 50.Kiltz, E., Masny, D., Pan, J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 33–61. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53008-5_2 CrossRefGoogle Scholar
- 51.Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_20 CrossRefGoogle Scholar
- 52.Koblitz, N., Menezes, A.: Another look at “provable security”. II. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 148–175. Springer, Heidelberg (2006). doi: 10.1007/11941378_12 CrossRefGoogle Scholar
- 53.Koblitz, N., Menezes, A.: Another look at ‘provable security’. J. Cryptol.
**20**, 3–37 (2007)MathSciNetCrossRefzbMATHGoogle Scholar - 54.Koblitz, N., Menezes, A.: Another look at HMAC. J. Math. Cryptol.
**7**, 225–251 (2013)MathSciNetCrossRefzbMATHGoogle Scholar - 55.Koblitz, N., Menezes, A.: Another look at non-uniformity. Groups Complex. Cryptol.
**5**, 117–139 (2013)MathSciNetCrossRefzbMATHGoogle Scholar - 56.Koblitz, N., Menezes, A.: Another look at security definitions. Adv. Math. Commun.
**7**, 1–38 (2013)MathSciNetCrossRefzbMATHGoogle Scholar - 57.Koblitz, N., Menezes, A.: Another look at security theorems for 1-key nested MACs. In: Koç, Ç.K. (ed.) Open Problems in Mathematics and Computational Science, pp. 69–89. Springer, Cham (2014). doi: 10.1007/978-3-319-10683-0_4 Google Scholar
- 58.Koblitz, N., Menezes, A.: A riddle wrapped in an enigma. IEEE Secur. Priv.
**14**, 34–42 (2016)CrossRefGoogle Scholar - 59.Krawczyk, H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF), Internet RFC 5869 (2010)Google Scholar
- 60.Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_34 CrossRefGoogle Scholar
- 61.Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Crypt.
**77**, 375–400 (2015)MathSciNetCrossRefzbMATHGoogle Scholar - 62.Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-71039-4_4 CrossRefGoogle Scholar
- 63.Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices, learning with errors over rings. J. ACM
**60**, 43:1–43:35 (2013)MathSciNetCrossRefzbMATHGoogle Scholar - 64.Menezes, A.: Another look at provable security, Invited talk at Eurocrypt 2012. http://www.cs.bris.ac.uk/eurocrypt2012/Program/Weds/Menezes.pdf
- 65.Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: A Cryptographic Perspective. Springer, New York (2002). doi: 10.1007/978-1-4615-0897-7 CrossRefzbMATHGoogle Scholar
- 66.M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O.: HOTP: an HMAC-based one time password algorithm, Internet RFC 4226 (2005)Google Scholar
- 67.Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). doi: 10.1007/978-3-319-11659-4_12 Google Scholar
- 68.Peikert, C.: 19 February 2015 blog posting. http://web.eecs.umich.edu/~cpeikert/soliloquy.html
- 69.Peikert, C.: A decade of lattice cryptography. http://eprint.iacr.org/2015/939
- 70.Pietrzak, K.: A closer look at HMAC. http://eprint.iacr.org/2013/212.pdf
- 71.Regev, O.: On lattices, learning with errors, random linear codes, cryptography. J. ACM
**56**, 34:1–34:40 (2009)MathSciNetCrossRefzbMATHGoogle Scholar - 72.Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 688–689. Springer, Heidelberg (1990). doi: 10.1007/3-540-46885-4_68 CrossRefGoogle Scholar
- 73.Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. http://eprint.iacr.org/2004/332.pdf
- 74.Shoup, V.: ISO/IEC 18033–2:2006, Information Technology – Security Techniques – Encryption Algorithms – Part 2: Asymmetric Ciphers (2006). http://www.shoup.net/iso/std6.pdf
- 75.Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20465-4_4 CrossRefGoogle Scholar
- 76.Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P.: Flaws in applying proof methodologies to signature schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 93–110. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_7 CrossRefGoogle Scholar
- 77.Zaverucha, G.M.: Hybrid encryption in the multi-user setting. http://eprint.iacr.org/2012/159.pdf
- 78.Zhang, R., Imai, H.: Improvements on security proofs of some identity based encryption schemes. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 28–41. Springer, Heidelberg (2005). doi: 10.1007/11599548_3 CrossRefGoogle Scholar