slides - Olivier Blazy

Efficient UC-Secure Authenticated
Key-Exchange for Algebraic Languages
PKC 2013,
Fabrice Ben Hamouda Olivier Blazy Céline Chevalier
David Pointcheval Damien Vergnaud
Horst Görtz Institute for IT Security / Ruhr-University Bochum
ENS / CNRS / INRIA / Université Panthéon-Assas
1 Introduction
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
2/26
1 Introduction
2 Building Blocks
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
2/26
1 Introduction
2 Building Blocks
3 Language Authenticated Key Exchange
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
2/26
1 Introduction
2 Building Blocks
3 Language Authenticated Key Exchange
4 Conclusion
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
2/26
Outline
1 Introduction
2 Building Blocks
3 Language Authenticated Key Exchange
4 Conclusion
Authenticated Key Exchange
Alice
Bob
−−−−−−−−−−−−−−−→
←−−−−−−−−−−−−−−−
−−−−−−−−−−−−−−−→
KAB
Share a common session key iff everything goes well.
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
4/26
Password Authenticated Key Exchange
Alice
[BM92]
Bob
−−−−−−−−−−−−−−−→
←−−−−−−−−−−−−−−−
−−−−−−−−−−−−−−−→
pwA
pwB
Share a common session key iff they possess the same password.
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
5/26
Secret Handshakes
[BDSS03]
Alice
Bob
−−−−−−−−−−−−−−−→
←−−−−−−−−−−−−−−−
−−−−−−−−−−−−−−−→
σA
σB
Share a common session key iff their signatures fit.
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
6/26
Credential Authenticated Key Exchange
Alice
[CCGS10]
Bob
−−−−−−−−−−−−−−−→
←−−−−−−−−−−−−−−−
−−−−−−−−−−−−−−−→
Cred (A)
Cred (B)
Share a common session key iff they possess the required credentials.
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
7/26
Language Authenticated Key Exchange
Alice
Bob
−−−−−−−−−−−−−−−→
←−−−−−−−−−−−−−−−
−−−−−−−−−−−−−−−→
wA
wB
Share a common session key iff their (words/languages) fit.
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
8/26
Outline
1 Introduction
2 Building Blocks
Cramer Shoup Encryption Revisited
Smooth Projective Hash Functions and their language
Manageable Languages
3 Language Authenticated Key Exchange
4 Conclusion
Cramer Shoup Encryption
Definition
[CS02]
§
Setup(1λ ): Generates a multiplicative group (p, G, g1 , g2 ).
§
EKeyGenE (param): dk = (µ1,2 , ν1,2 , η1,2 ) ← Z6p ,
pk = (c = g1µ1 g2µ2 , d = g1ν1 g2ν2 , h = g1η1 g2η2 ).
§
Encrypt(pk, M; α): For M, and α ← Z
p , defines C = CS(M; α) as
u = (g1α , g2α ), e = Mhα , v = (cd ξ )α .
ξ = Hash(u, e)
§
Decrypt(dk = (µ, ν, η), C = (u, e, v )):
Q
Q
If v = uiµi +ξνi , then M = e · ui−ηi .
$
$
IND-CCA under DDH
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
10/26
Double Cramer Shoup Encryption
Definition
§
Setup(1λ ): Generates a multiplicative group (p, G, g1 , g2 ).
§
EKeyGenE (param): dk ← Z6p , pk.
§
Encrypt1 (pk, M; α): C = CS(M; α).
§
Encrypt2 (pk, N, ξ; α0 ): For N, and α ← Zp , defines C 0 = CS 0 (N, ξ; α)
as
0
0
0
0
u 0 = (g1α , g2α ), e 0 = Mhα , v 0 = (cd ξ )α .
§
Decrypt(dk = (µ, ν, η), C = (u, e, v ), C 0 ):
Q
Q
If v = uiµi +ξνi , then M = e · ui−ηi .
Q
Q
If v 0 = ui0 µi +ξνi , then N = e 0 · ui0 −ηi .
$
$
IND-PD-CCA under DDH (IND-CCA on CS, IND-CPA on CS’)
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
11/26
Multi Double Cramer Shoup Encryption
Definition
§
Setup(1λ ): Generates a multiplicative group (p, G, g1 , g2 ).
§
EKeyGenE (param): dk ← Z6p , pk.
§
Encrypt1 (pk, M; α): C = CS(M; α), where ξ = Hash(u, e).
§
Encrypt2 (pk, N, ξ; α0 ): C 0 = CS 0 (N, ξ; α0 ).
§
Decrypt(dk
(µ, ν, η), C, C 0 ): Q
Q µ=+ξν
−ηi
i
i , then M = e ·
If v = Qui
Qui 0 −η.i
µi +ξνi
0
0
0
If v = ui
, then N = e · ui .
$
IND-PD-CCA under DDH.
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
12/26
Smooth Projective Hash Functions
Definition
[CS02,GL03]
Let {H} be a family of functions:
§
X , domain of these functions
§
L, subset (a language) of this domain
such that, for any point x in L, H(x) can be computed by using
§
either a secret hashing key hk: H(x) = HashL (hk; x);
§
or a public projected key hp: H 0 (x) = ProjHashL (hp; x, w )
Public mapping hk 7→ hp = ProjKGL (hk, x)
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
13/26
Properties
For any x ∈ X , H(x) = HashL (hk; x)
For any x ∈ L, H(x) = ProjHashL (hp; x, w )
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
w witness that x ∈ L
14/26
Properties
For any x ∈ X , H(x) = HashL (hk; x)
For any x ∈ L, H(x) = ProjHashL (hp; x, w )
w witness that x ∈ L
Smoothness
For any x 6∈ L, H(x) and hp are independent
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
14/26
Properties
For any x ∈ X , H(x) = HashL (hk; x)
For any x ∈ L, H(x) = ProjHashL (hp; x, w )
w witness that x ∈ L
Smoothness
For any x 6∈ L, H(x) and hp are independent
Pseudo-Randomness
For any x ∈ L, H(x) is pseudo-random, without a witness w
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
14/26
Properties
For any x ∈ X , H(x) = HashL (hk; x)
For any x ∈ L, H(x) = ProjHashL (hp; x, w )
w witness that x ∈ L
Smoothness
For any x 6∈ L, H(x) and hp are independent
Pseudo-Randomness
For any x ∈ L, H(x) is pseudo-random, without a witness w
The latter property requires L to be a hard-partitioned subset of X :
Hard-Partitioned Subset
L is a hard-partitioned subset of X if it is computationally hard to
distinguish a random element in L from a random element in X \ L
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
14/26
Straightforward Languages
§
Diffie Hellman / Linear Tuple
(g , h, G = g a , H = ha )
Valid Diffie Hellman tuple?
hp : g κ hλ
hpa = G κ H λ
Oblivious Transfer, Implicit Opening of a ciphertext
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
15/26
Straightforward Languages
§
Diffie Hellman / Linear Tuple
(g , h, G = g a , H = ha )
Valid Diffie Hellman tuple?
hp : g κ hλ
hpa = G κ H λ
Oblivious Transfer, Implicit Opening of a ciphertext
(U = u a , V = v b , W = g a+b )
hp : u κ g λ , v µ g λ
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
Valid Linear tuple?
hpa1 hpb2 = U κ V µ W λ
15/26
Straightforward Languages
§
Diffie Hellman / Linear Tuple
§
Conjunction / Disjunction
L1 ∩ L2
hp : hp1 , hp2
∧Ai
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
Simultaneous verification
H10 · H20 = H1 · H2
15/26
Straightforward Languages
§
Diffie Hellman / Linear Tuple
§
Conjunction / Disjunction
L1 ∪ L2
hp = hp1 , hp2 , hp∆
Is it a bit?
H0
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
One out of 2 conditions
w2
hk1
1
= L1 ?hpw
1 : hp2 · hp∆ = X1
15/26
Advanced Languages
§
(Linear) Cramer-Shoup Encryption
(u1 = g1r , u2 = g2r , e = hr M, v = (cd ξ )r )
hp : g1κ g2µ (cd ξ )η hλ
Verifiability of the CS
hpr = u1κ u2µ v η (e/M)λ
Implicit Opening of a ciphertext, verifiability of a ciphertext, PAKE
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
16/26
Advanced Languages
§
(Linear) Cramer-Shoup Encryption
(u1 = g1r , u2 = g2r , e = hr M, v = (cd ξ )r )
hp : g1κ g2µ (cd ξ )η hλ
Verifiability of the CS
hpr = u1κ u2µ v η (e/M)λ
Implicit Opening of a ciphertext, verifiability of a ciphertext, PAKE
(g1r , g2s , g3r +s , h1r h2s M, (c1 d1ξ )r (c2 d2ξ )s )
hp : g1κ g3θ (c1 d1ξ )η hλ , g2µ g3θ (c2 d2ξ )η hλ
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
Verifiability of the LCS
= u1κ u2µ u3θ v η (e/M)λ
hpr1 hps2
16/26
Advanced Languages
§
(Linear) Cramer-Shoup Encryption
§
Commitment of a commitment
(U = u a , V = v s , G = hs g a )
hp : u η g λ , v θ hλ
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
ELin
hpa1 hps2
=
UηV θG λ
16/26
Advanced Languages
§
(Linear) Cramer-Shoup Encryption
§
Commitment of a commitment
§
Linear Pairing Equations


 
Y
Y

e(Yi , Ak,i ) · 
Zi Zk,i  = Dk
i∈Ak
i∈Bk
For each variables: hpi : u κi g λ , v µi g λ Q
Q
Zk,i wi
wi
=
i∈Ak e(hpi , Ak,i ) ·
i∈Bk HPi
Q
Q
Zk,i /D λ
i∈Ak e(Hi , Ak,i ) ·
i∈Bk Hi
k
Knowledge of a secret key, Knowledge of a (secret) signature on a
(secret) message valid under a (secret) verification key, . . .
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
16/26
Commitment à la Lindell
Alice
C, C 0
[Lin11]
Bob
= DCS(M, 1; α),
π = Ped (C 0 , t, M)
z = α1 + α2
C, π
$
−−−−−−−−−−−−−−−→
← Znp ,
, hp
←−−−−−−−−−−−−−−− hpi = g1µi g2νi hλi (cd ξ )θi
t, C 0
−−−−−−−−−−−−−−−→
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
17/26
Commitment à la Lindell
Alice
C, C 0
[Lin11]
Bob
= DCS(M, 1; α),
π = Ped (C 0 , t, M)
z = α1 + α2
C, π
$
−−−−−−−−−−−−−−−→
← Znp ,
, hp
←−−−−−−−−−−−−−−− hpi = g1µi g2νi hλi (cd ξ )θi
t, C 0
−−−−−−−−−−−−−−−→
hpz , M
−−−−−−−−−−−−−−−→
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
Hash(C C 0 , M, hk)
17/26
§
Self-Randomizable Language
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
18/26
§
Self-Randomizable Language
§
Double-Step PD-CCA Commitment
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
18/26
§
Self-Randomizable Language
§
Double-Step PD-CCA Commitment
§
Implicit Decommitment
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
18/26
Outline
1 Introduction
2 Building Blocks
3 Language Authenticated Key Exchange
General Instantiation
Secret Handshakes
Password Authenticated Key Exchange
4 Conclusion
Language Authenticated Key Exchange
Alice
Bob
C(LB , L0A , MB ), π(C 0 )
−−−−−−−−−−−−−−−→
C(L0 , LA , MA ), hpB , ←−−B−−−−−−−−−−−−−
hpA , C 0 (1, 1, 1)
−−−−−−−−−−−−−−−→
HB · HA0
HB0 · HA
Same value iff languages are as expected, and users know witnesses.
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
20/26
Secret Handshakes
for the same secret signing authority
Alice
Bob
0
C(L(σ, vkA , idB ), L(σ, vkA , idA ), σ(A)), π(C )
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
C(L(σ, vkB , idB ), L(σ, vkB , idA ), σ(B)), hpB , ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
hpA , C 0 (1, 1, 1)
−−−−−−−−−−−−−−−→
HB · HA0
HB0 · HA
Ciphertext of a Waters Signature valid under the committed vk:
e(σ1 , g ) = e(h, vk) · e(id∗ , σ2 )
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
21/26
Password Authenticated Key Exchange
Alice
Bob
C(pwB ), π(C 0 )
−−−−−−−−−−−−−−−→
C(pwA ), hpB , ←−−−−−−−−−−−−−−−
hpA , C 0 (1)
−−−−−−−−−−−−−−−→
HB · HA0
HB0 · HA
Share a common session key iff they possess the same password.
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
22/26
Password Authenticated Key Exchange
Alice
Bob
rA
rA
rA
ξA rA
u , v , pwB h , (cd )
−−−−−−−−−−−−−−−−−−→
0
g t k Hash(CA )
pw hrB , g rB
←−−−−−A−−−−−−−−−−
hpB : u λB v µB hηB (cd ξA )θB , CA0 = (u sA , v sA , hsA , (cd ξA )sA )
−−−−−−−−−−−−−−−−−−−−−→
t, hpA : g λA hηA
hkA
· hpsBA +rA
CB,−pw
A
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
hkB
∗
hprAB · CA,−pw
B
23/26
Outline
1 Introduction
2 Building Blocks
3 Language Authenticated Key Exchange
4 Conclusion
Extensions and Open Questions
X We presented a general Framework to instantiate several AKE
protocols.
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
25/26
Extensions and Open Questions
X We presented a general Framework to instantiate several AKE
protocols.
X This allows to produce efficient UC instantiations under classical
assumptions (DDH,DLin,...)
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
25/26
Extensions and Open Questions
X We presented a general Framework to instantiate several AKE
protocols.
X This allows to produce efficient UC instantiations under classical
assumptions (DDH,DLin,...)
X Concrete examples for PAKE, v-PAKE, several Secret Handshakes,
CAKE, . . .
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
25/26
Extensions and Open Questions
X We presented a general Framework to instantiate several AKE
protocols.
X This allows to produce efficient UC instantiations under classical
assumptions (DDH,DLin,...)
X Concrete examples for PAKE, v-PAKE, several Secret Handshakes,
CAKE, . . .
X New manageable languages with SPHF implicit proofs of knowledge
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
25/26
Extensions and Open Questions
X We presented a general Framework to instantiate several AKE
protocols.
X This allows to produce efficient UC instantiations under classical
assumptions (DDH,DLin,...)
X Concrete examples for PAKE, v-PAKE, several Secret Handshakes,
CAKE, . . .
X New manageable languages with SPHF implicit proofs of knowledge
X Several new tools: multi-commitment on CS, revisited commitment
à la Lindell, . . .
LAKE | Horst Görtz Institute for IT-Security | PKC 2013
25/26
Many thanks for your attention!
Any questions?
More details are available in the full version. . .
LAKE | Horst Görtz Institute for IT-Security | PKC 2013