Another Look at Tightness II: Practical Issues in Cryptography

  • Sanjit Chatterjee
  • Neal Koblitz
  • Alfred MenezesEmail author
  • Palash Sarkar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10311)


How to deal with large tightness gaps in security proofs is a vexing issue in cryptography. Even when analyzing protocols that are of practical importance, leading researchers often fail to treat this question with the seriousness that it deserves. We discuss nontightness in connection with complexity leveraging, HMAC, lattice-based cryptography, identity-based encryption, and hybrid encryption.



We wish to thank Greg Zaverucha for extensive help with Appendix B as well as useful comments on the other sections, Michael Naehrig for reviewing and commenting on Sect. 5, Somindu C. Ramanna for providing helpful comments on an earlier draft of Sect. 6, Ann Hibner Koblitz for editorial suggestions, and Ian Blake, Eike Kiltz, and Chris Peikert for helpful feedback and suggestions. Of course, none of them is responsible for any of the opinions expressed in this article.


  1. 1.
    Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time via discrete Gaussian sampling. In: Proceedings of the 47th Annual Symposium Foundations of Computer Science, pp. 733–742 (2015)Google Scholar
  2. 2.
    Ajtai, M.: Generating hard instances of lattice problems. In: Proceedings of the 28th Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM (1996)Google Scholar
  3. 3.
    Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: Proceedings of the 29th Annual ACM Symposium on Theory of Computing, pp. 284–293. ACM (1997)Google Scholar
  4. 4.
    Albrecht, M., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9, 169–203 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Proceeding of the 25th USENIX Security Symposium, pp. 327–343 (2016)Google Scholar
  6. 6.
    ANSI X9.98: Lattice-Based Polynomial Public Key Establishment Algorithm for the Financial Services Industry, Part 1: Key Establishment, Part 2: Data Encryption (2010)Google Scholar
  7. 7.
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22006-7_34 CrossRefGoogle Scholar
  8. 8.
    Attrapadung, N., Furukawa, J., Gomi, T., Hanaoka, G., Imai, H., Zhang, R.: Efficient identity-based encryption with tight security reduction. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 19–36. Springer, Heidelberg (2006). doi: 10.1007/11935070_2 CrossRefGoogle Scholar
  9. 9.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-55220-5_1 CrossRefGoogle Scholar
  10. 10.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006). doi: 10.1007/11693383_22 CrossRefGoogle Scholar
  11. 11.
    Bellare, M.: Practice-oriented provable-security. In: Damgård, I.B. (ed.) EEF School 1998. LNCS, vol. 1561, pp. 1–15. Springer, Heidelberg (1999). doi: 10.1007/3-540-48969-X_1 CrossRefGoogle Scholar
  12. 12.
    Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006). doi: 10.1007/11818175_36 CrossRefGoogle Scholar
  13. 13.
    Bellare, M.: email to N. Koblitz, 24 February 2012Google Scholar
  14. 14.
    Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. J. Cryptol. 28, 844–878 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Bellare, M., Bernstein, D.J., Tessaro, S.: Hash-function based PRFs: AMAC and its multi-user security. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 566–595. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49890-3_22 CrossRefGoogle Scholar
  16. 16.
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_18. CrossRefGoogle Scholar
  17. 17.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_1 Google Scholar
  18. 18.
    Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: the cascade construction and its concrete security. In: Proceedings of the 37th Annual Symposium Foundations of Computer Science, pp. 514–523 (1996).
  19. 19.
    Bellare, M., Canetti, R., Krawczyk, H.: HMAC: keyed-hashing for message authentication, Internet RFC 2104 (1997)Google Scholar
  20. 20.
    Bernstein, D.: Multi-user Schnorr security, revisited.
  21. 21.
    Blömer, J., Seifert, J.: On the complexity of computing short linearly independent vectors and short bases in a lattice. In: Proceedings of the 31st Annual ACM Symposium on Theory of Computing, pp. 711–720. ACM (1999)Google Scholar
  22. 22.
    Boldyreva, A.: Strengthening security of RSA-OAEP. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 399–413. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00862-7_27 CrossRefGoogle Scholar
  23. 23.
    Boneh, D., Boyen, X.: Efficient selective-ID secure identity based encryption without random oracles.
  24. 24.
    Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32, 586–615 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-42045-0_15 CrossRefGoogle Scholar
  26. 26.
    Bos, J., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy, pp. 553–570 (2015)Google Scholar
  27. 27.
    Chatterjee, S., Menezes, A., Sarkar, P.: Another look at tightness. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 293–319. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-28496-0_18 CrossRefGoogle Scholar
  28. 28.
    Chen, L.: Recommendation for key derivation using pseudorandom functions (revised), NIST SP 800–108 (2009)Google Scholar
  29. 29.
    Chen, L.: Recommendation for key derivation through extraction-then-expansion, NIST SP 800–56C (2011)Google Scholar
  30. 30.
    Coppersmith, D.: Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theory 30, 587–594 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). doi: 10.1007/BFb0055717 CrossRefGoogle Scholar
  32. 32.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33, 167–226 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Dang, Q.: Recommendation for applications using approved hash algorithms, NIST SP 800–107 (2012)Google Scholar
  34. 34.
    Dierks, T., Allen, C.: The TLS protocol, Internet RFC 2246 (1999)Google Scholar
  35. 35.
    Fuchsbauer, G.: Constrained verifiable random functions. In: Abdalla, M., Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 95–114. Springer, Cham (2014). doi: 10.1007/978-3-319-10879-7_7 Google Scholar
  36. 36.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_34 CrossRefGoogle Scholar
  37. 37.
    Galbraith, S., Malone-Lee, J., Smart, N.: Public key signatures in the multi-user setting. Inf. Process. Lett. 83, 263–266 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Galindo, D.: Boneh-Franklin identity based encryption revisited. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 791–802. Springer, Heidelberg (2005). doi: 10.1007/11523468_64 CrossRefGoogle Scholar
  39. 39.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits.
  40. 40.
    Gaži, P., Pietrzak, K., Rybár, M.: The exact PRF-security of NMAC and HMAC. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 113–130. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44371-2_7 CrossRefGoogle Scholar
  41. 41.
    Goldreich, O., Goldwasser, S.: On the limits of nonapproximability of lattice problems. J. Comput. Syst. Sci. 60, 540–563 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  42. 42.
    Goldwasser, S., Bellare, M.: Lecture Notes on Cryptography, July 2008.
  43. 43.
    Goldwasser, S., Kalai, Y.: Cryptographic assumptions: a position paper.
  44. 44.
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28, 270–299 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  45. 45.
    Harkins, D., Carrel, D.: The internet key exchange (IKE), Internet RFC 2409 (1998)Google Scholar
  46. 46.
    Hoffstein, J., Howgrave-Graham, N., Pipher, J., Whyte, W.: Practical lattice-based cryptography: NTRUEncrypt and NTRUSign. In: Vallée, B., Nguyen, P.Q. (eds.) The LLL Algorithm, pp. 349–390. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-02295-1_11 Google Scholar
  47. 47.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). doi: 10.1007/BFb0054868 CrossRefGoogle Scholar
  48. 48.
    IEEE 1363.1: Standard Specification for Public Key Cryptographic Techniques Based on Hard Problems over Lattices (2008)Google Scholar
  49. 49.
    Katz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman and Hall/CRC, London (2007)zbMATHGoogle Scholar
  50. 50.
    Kiltz, E., Masny, D., Pan, J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 33–61. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53008-5_2 CrossRefGoogle Scholar
  51. 51.
    Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_20 CrossRefGoogle Scholar
  52. 52.
    Koblitz, N., Menezes, A.: Another look at “provable security”. II. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 148–175. Springer, Heidelberg (2006). doi: 10.1007/11941378_12 CrossRefGoogle Scholar
  53. 53.
    Koblitz, N., Menezes, A.: Another look at ‘provable security’. J. Cryptol. 20, 3–37 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  54. 54.
    Koblitz, N., Menezes, A.: Another look at HMAC. J. Math. Cryptol. 7, 225–251 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  55. 55.
    Koblitz, N., Menezes, A.: Another look at non-uniformity. Groups Complex. Cryptol. 5, 117–139 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  56. 56.
    Koblitz, N., Menezes, A.: Another look at security definitions. Adv. Math. Commun. 7, 1–38 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  57. 57.
    Koblitz, N., Menezes, A.: Another look at security theorems for 1-key nested MACs. In: Koç, Ç.K. (ed.) Open Problems in Mathematics and Computational Science, pp. 69–89. Springer, Cham (2014). doi: 10.1007/978-3-319-10683-0_4 Google Scholar
  58. 58.
    Koblitz, N., Menezes, A.: A riddle wrapped in an enigma. IEEE Secur. Priv. 14, 34–42 (2016)CrossRefGoogle Scholar
  59. 59.
    Krawczyk, H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF), Internet RFC 5869 (2010)Google Scholar
  60. 60.
    Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_34 CrossRefGoogle Scholar
  61. 61.
    Laarhoven, T., Mosca, M., van de Pol, J.: Finding shortest lattice vectors faster using quantum search. Des. Codes Crypt. 77, 375–400 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  62. 62.
    Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-71039-4_4 CrossRefGoogle Scholar
  63. 63.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices, learning with errors over rings. J. ACM 60, 43:1–43:35 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  64. 64.
    Menezes, A.: Another look at provable security, Invited talk at Eurocrypt 2012.
  65. 65.
    Micciancio, D., Goldwasser, S.: Complexity of Lattice Problems: A Cryptographic Perspective. Springer, New York (2002). doi: 10.1007/978-1-4615-0897-7 CrossRefzbMATHGoogle Scholar
  66. 66.
    M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O.: HOTP: an HMAC-based one time password algorithm, Internet RFC 4226 (2005)Google Scholar
  67. 67.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). doi: 10.1007/978-3-319-11659-4_12 Google Scholar
  68. 68.
    Peikert, C.: 19 February 2015 blog posting.
  69. 69.
    Peikert, C.: A decade of lattice cryptography.
  70. 70.
    Pietrzak, K.: A closer look at HMAC.
  71. 71.
    Regev, O.: On lattices, learning with errors, random linear codes, cryptography. J. ACM 56, 34:1–34:40 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  72. 72.
    Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 688–689. Springer, Heidelberg (1990). doi: 10.1007/3-540-46885-4_68 CrossRefGoogle Scholar
  73. 73.
    Shoup, V.: Sequences of games: a tool for taming complexity in security proofs.
  74. 74.
    Shoup, V.: ISO/IEC 18033–2:2006, Information Technology – Security Techniques – Encryption Algorithms – Part 2: Asymmetric Ciphers (2006).
  75. 75.
    Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-20465-4_4 CrossRefGoogle Scholar
  76. 76.
    Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P.: Flaws in applying proof methodologies to signature schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 93–110. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_7 CrossRefGoogle Scholar
  77. 77.
    Zaverucha, G.M.: Hybrid encryption in the multi-user setting.
  78. 78.
    Zhang, R., Imai, H.: Improvements on security proofs of some identity based encryption schemes. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 28–41. Springer, Heidelberg (2005). doi: 10.1007/11599548_3 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Sanjit Chatterjee
    • 1
  • Neal Koblitz
    • 2
  • Alfred Menezes
    • 3
    Email author
  • Palash Sarkar
    • 4
  1. 1.Department of Computer Science and AutomationIndian Institute of ScienceBengaluruIndia
  2. 2.Department of MathematicsUniversity of WashingtonSeattleUSA
  3. 3.Department of Combinatorics and OptimizationUniversity of WaterlooWaterlooCanada
  4. 4.Applied Statistics UnitIndian Statistical InstituteKolkataIndia

Personalised recommendations