Multi-User CDH Problems and the Concrete Security of NAXOS and HMQV.

We introduce $$\textsf{Corr}\textsf{GapCDH}$$ , the Gap Computational Diffie-Hellman problem in the multi-user setting with Corruptions. In the random oracle model, our assumption tightly implies the security of the authenticated key exchange protocols $$\textsf{NAXOS}$$ in the eCK model and (a simplified version of) $$\textsf{X3DH}$$ without ephemeral key reveal. We prove hardness of $$\textsf{Corr}\textsf{GapCDH}$$ in the generic group model, with optimal bounds matching the one of the discrete logarithm problem. We also introduce $$\textsf{CorrCR}\textsf{GapCDH}$$ , a stronger Challenge-Response variant of our assumption. Unlike standard $$\textsf{GapCDH}$$ , $$\textsf{CorrCR}\textsf{GapCDH}$$ implies the security of the popular AKE protocol HMQV in the eCK model, tightly and without rewinding. Again, we prove hardness of $$\textsf{CorrCR}\textsf{GapCDH}$$ in the generic group model, with (almost) optimal bounds. Our new results allow implementations of $$\textsf{NAXOS}$$ , $$\textsf{X3DH}$$ , and $$\textsf{HMQV}$$ without having to adapt the group sizes to account for the tightness loss of previous reductions. As a side result of independent interest, we also obtain modular and simple security proofs from standard $$\textsf{GapCDH}$$ with tightness loss, improving previously known bounds.