TY - GEN
T1 - Distributed Merkle’s Puzzles
AU - Dinur, Itai
AU - Hasson, Ben
N1 - Publisher Copyright:
© 2021, International Association for Cryptologic Research.
PY - 2021/1/1
Y1 - 2021/1/1
N2 - Merkle’s puzzles were proposed in 1974 by Ralph Merkle as a key agreement protocol between two players based on symmetric-key primitives. In order to agree on a secret key, each player makes T queries to a random function (oracle), while any eavesdropping adversary has to make Ω(T2) queries to the random oracle in order to recover the key with high probability. The quadratic gap between the query complexity of the honest players and the eavesdropper was shown to be optimal by Barak and Mahmoody [CRYPTO’09]. We consider Merkle’s puzzles in a distributed setting, where the goal is to allow all pairs among M honest players with access to a random oracle to agree on secret keys. We devise a protocol in this setting, where each player makes T queries to the random oracle and communicates at most T bits, while any adversary has to make Ω(M· T2) queries to the random oracle (up to logarithmic factors) in order to recover any one of the keys with high probability. Therefore, the amortized (per-player) complexity of achieving secure communication (for a fixed security level) decreases with the size of the network. Finally, we prove that the gap of T· M between the query complexity of each honest player and the eavesdropper is optimal.
AB - Merkle’s puzzles were proposed in 1974 by Ralph Merkle as a key agreement protocol between two players based on symmetric-key primitives. In order to agree on a secret key, each player makes T queries to a random function (oracle), while any eavesdropping adversary has to make Ω(T2) queries to the random oracle in order to recover the key with high probability. The quadratic gap between the query complexity of the honest players and the eavesdropper was shown to be optimal by Barak and Mahmoody [CRYPTO’09]. We consider Merkle’s puzzles in a distributed setting, where the goal is to allow all pairs among M honest players with access to a random oracle to agree on secret keys. We devise a protocol in this setting, where each player makes T queries to the random oracle and communicates at most T bits, while any adversary has to make Ω(M· T2) queries to the random oracle (up to logarithmic factors) in order to recover any one of the keys with high probability. Therefore, the amortized (per-player) complexity of achieving secure communication (for a fixed security level) decreases with the size of the network. Finally, we prove that the gap of T· M between the query complexity of each honest player and the eavesdropper is optimal.
UR - http://www.scopus.com/inward/record.url?scp=85120084748&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-90453-1_11
DO - 10.1007/978-3-030-90453-1_11
M3 - Conference contribution
AN - SCOPUS:85120084748
SN - 9783030904524
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 310
EP - 332
BT - Theory of Cryptography - 19th International Conference, TCC 2021, Proceedings
A2 - Nissim, Kobbi
A2 - Waters, Brent
A2 - Waters, Brent
PB - Springer Science and Business Media Deutschland GmbH
T2 - 19th International Conference on Theory of Cryptography, TCC 2021
Y2 - 8 November 2021 through 11 November 2021
ER -