Concurrent Secure Computation with Optimal Query Complexity and Fully Concurrent PAKE With No Setup

The multiple ideal query (MIQ) model [Goyal, Jain, and Ostrovsky, Crypto’10] offers a relaxed notion of security for concurrent secure computation, where the simulator is allowed to query the ideal functionality multiple times per session (as opposed to just once in the standard definition). The model provides a quantitative measure for the degradation in security under concurrent self-composition. As an immediate application, MIQ-secure protocols with low per-session query complexity yield concurrent password-authenticated key exchange protocols in the model of [Goldreich and Lindell, Crypto 2001]. However, to date, all known MIQ-secure protocols guarantee only an overall average bound on the number of queries per session throughout the execution. No worst-case per-session bound has been shown. We show the first MIQ-secure protocol with worst-case per-session guarantee. Specifically, we show a protocol for every PPT functionality f , where the simulator makes only a constant number of ideal queries in every session. The constant depends on the adversary but is independent of the security parameter. The result exactly matches a lower bound of [Goyal and Jain, Eurocrypt’13] who ruled out protocols where the simulator makes only an adversary-independent constant number of ideal queries per session. An immediate corollary of our main result is the resolution of the long standing open problem of designing a fully concurrent password authenticated key exchange protocol with no set-up assumptions. Prior constructions either required a setup assumption, or a random oracle, or an a priori bound on the number of concurrent execution, or worked only for a single password.