slides - Olivier Blazy
Transcription
slides - Olivier Blazy
Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013, Fabrice Ben Hamouda Olivier Blazy Céline Chevalier David Pointcheval Damien Vergnaud Horst Görtz Institute for IT Security / Ruhr-University Bochum ENS / CNRS / INRIA / Université Panthéon-Assas 1 Introduction LAKE | Horst Görtz Institute for IT-Security | PKC 2013 2/26 1 Introduction 2 Building Blocks LAKE | Horst Görtz Institute for IT-Security | PKC 2013 2/26 1 Introduction 2 Building Blocks 3 Language Authenticated Key Exchange LAKE | Horst Görtz Institute for IT-Security | PKC 2013 2/26 1 Introduction 2 Building Blocks 3 Language Authenticated Key Exchange 4 Conclusion LAKE | Horst Görtz Institute for IT-Security | PKC 2013 2/26 Outline 1 Introduction 2 Building Blocks 3 Language Authenticated Key Exchange 4 Conclusion Authenticated Key Exchange Alice Bob −−−−−−−−−−−−−−−→ ←−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−→ KAB Share a common session key iff everything goes well. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 4/26 Password Authenticated Key Exchange Alice [BM92] Bob −−−−−−−−−−−−−−−→ ←−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−→ pwA pwB Share a common session key iff they possess the same password. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 5/26 Secret Handshakes [BDSS03] Alice Bob −−−−−−−−−−−−−−−→ ←−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−→ σA σB Share a common session key iff their signatures fit. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 6/26 Credential Authenticated Key Exchange Alice [CCGS10] Bob −−−−−−−−−−−−−−−→ ←−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−→ Cred (A) Cred (B) Share a common session key iff they possess the required credentials. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 7/26 Language Authenticated Key Exchange Alice Bob −−−−−−−−−−−−−−−→ ←−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−→ wA wB Share a common session key iff their (words/languages) fit. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 8/26 Outline 1 Introduction 2 Building Blocks Cramer Shoup Encryption Revisited Smooth Projective Hash Functions and their language Manageable Languages 3 Language Authenticated Key Exchange 4 Conclusion Cramer Shoup Encryption Definition [CS02] § Setup(1λ ): Generates a multiplicative group (p, G, g1 , g2 ). § EKeyGenE (param): dk = (µ1,2 , ν1,2 , η1,2 ) ← Z6p , pk = (c = g1µ1 g2µ2 , d = g1ν1 g2ν2 , h = g1η1 g2η2 ). § Encrypt(pk, M; α): For M, and α ← Z p , defines C = CS(M; α) as u = (g1α , g2α ), e = Mhα , v = (cd ξ )α . ξ = Hash(u, e) § Decrypt(dk = (µ, ν, η), C = (u, e, v )): Q Q If v = uiµi +ξνi , then M = e · ui−ηi . $ $ IND-CCA under DDH LAKE | Horst Görtz Institute for IT-Security | PKC 2013 10/26 Double Cramer Shoup Encryption Definition § Setup(1λ ): Generates a multiplicative group (p, G, g1 , g2 ). § EKeyGenE (param): dk ← Z6p , pk. § Encrypt1 (pk, M; α): C = CS(M; α). § Encrypt2 (pk, N, ξ; α0 ): For N, and α ← Zp , defines C 0 = CS 0 (N, ξ; α) as 0 0 0 0 u 0 = (g1α , g2α ), e 0 = Mhα , v 0 = (cd ξ )α . § Decrypt(dk = (µ, ν, η), C = (u, e, v ), C 0 ): Q Q If v = uiµi +ξνi , then M = e · ui−ηi . Q Q If v 0 = ui0 µi +ξνi , then N = e 0 · ui0 −ηi . $ $ IND-PD-CCA under DDH (IND-CCA on CS, IND-CPA on CS’) LAKE | Horst Görtz Institute for IT-Security | PKC 2013 11/26 Multi Double Cramer Shoup Encryption Definition § Setup(1λ ): Generates a multiplicative group (p, G, g1 , g2 ). § EKeyGenE (param): dk ← Z6p , pk. § Encrypt1 (pk, M; α): C = CS(M; α), where ξ = Hash(u, e). § Encrypt2 (pk, N, ξ; α0 ): C 0 = CS 0 (N, ξ; α0 ). § Decrypt(dk (µ, ν, η), C, C 0 ): Q Q µ=+ξν −ηi i i , then M = e · If v = Qui Qui 0 −η.i µi +ξνi 0 0 0 If v = ui , then N = e · ui . $ IND-PD-CCA under DDH. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 12/26 Smooth Projective Hash Functions Definition [CS02,GL03] Let {H} be a family of functions: § X , domain of these functions § L, subset (a language) of this domain such that, for any point x in L, H(x) can be computed by using § either a secret hashing key hk: H(x) = HashL (hk; x); § or a public projected key hp: H 0 (x) = ProjHashL (hp; x, w ) Public mapping hk 7→ hp = ProjKGL (hk, x) LAKE | Horst Görtz Institute for IT-Security | PKC 2013 13/26 Properties For any x ∈ X , H(x) = HashL (hk; x) For any x ∈ L, H(x) = ProjHashL (hp; x, w ) LAKE | Horst Görtz Institute for IT-Security | PKC 2013 w witness that x ∈ L 14/26 Properties For any x ∈ X , H(x) = HashL (hk; x) For any x ∈ L, H(x) = ProjHashL (hp; x, w ) w witness that x ∈ L Smoothness For any x 6∈ L, H(x) and hp are independent LAKE | Horst Görtz Institute for IT-Security | PKC 2013 14/26 Properties For any x ∈ X , H(x) = HashL (hk; x) For any x ∈ L, H(x) = ProjHashL (hp; x, w ) w witness that x ∈ L Smoothness For any x 6∈ L, H(x) and hp are independent Pseudo-Randomness For any x ∈ L, H(x) is pseudo-random, without a witness w LAKE | Horst Görtz Institute for IT-Security | PKC 2013 14/26 Properties For any x ∈ X , H(x) = HashL (hk; x) For any x ∈ L, H(x) = ProjHashL (hp; x, w ) w witness that x ∈ L Smoothness For any x 6∈ L, H(x) and hp are independent Pseudo-Randomness For any x ∈ L, H(x) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X : Hard-Partitioned Subset L is a hard-partitioned subset of X if it is computationally hard to distinguish a random element in L from a random element in X \ L LAKE | Horst Görtz Institute for IT-Security | PKC 2013 14/26 Straightforward Languages § Diffie Hellman / Linear Tuple (g , h, G = g a , H = ha ) Valid Diffie Hellman tuple? hp : g κ hλ hpa = G κ H λ Oblivious Transfer, Implicit Opening of a ciphertext LAKE | Horst Görtz Institute for IT-Security | PKC 2013 15/26 Straightforward Languages § Diffie Hellman / Linear Tuple (g , h, G = g a , H = ha ) Valid Diffie Hellman tuple? hp : g κ hλ hpa = G κ H λ Oblivious Transfer, Implicit Opening of a ciphertext (U = u a , V = v b , W = g a+b ) hp : u κ g λ , v µ g λ LAKE | Horst Görtz Institute for IT-Security | PKC 2013 Valid Linear tuple? hpa1 hpb2 = U κ V µ W λ 15/26 Straightforward Languages § Diffie Hellman / Linear Tuple § Conjunction / Disjunction L1 ∩ L2 hp : hp1 , hp2 ∧Ai LAKE | Horst Görtz Institute for IT-Security | PKC 2013 Simultaneous verification H10 · H20 = H1 · H2 15/26 Straightforward Languages § Diffie Hellman / Linear Tuple § Conjunction / Disjunction L1 ∪ L2 hp = hp1 , hp2 , hp∆ Is it a bit? H0 LAKE | Horst Görtz Institute for IT-Security | PKC 2013 One out of 2 conditions w2 hk1 1 = L1 ?hpw 1 : hp2 · hp∆ = X1 15/26 Advanced Languages § (Linear) Cramer-Shoup Encryption (u1 = g1r , u2 = g2r , e = hr M, v = (cd ξ )r ) hp : g1κ g2µ (cd ξ )η hλ Verifiability of the CS hpr = u1κ u2µ v η (e/M)λ Implicit Opening of a ciphertext, verifiability of a ciphertext, PAKE LAKE | Horst Görtz Institute for IT-Security | PKC 2013 16/26 Advanced Languages § (Linear) Cramer-Shoup Encryption (u1 = g1r , u2 = g2r , e = hr M, v = (cd ξ )r ) hp : g1κ g2µ (cd ξ )η hλ Verifiability of the CS hpr = u1κ u2µ v η (e/M)λ Implicit Opening of a ciphertext, verifiability of a ciphertext, PAKE (g1r , g2s , g3r +s , h1r h2s M, (c1 d1ξ )r (c2 d2ξ )s ) hp : g1κ g3θ (c1 d1ξ )η hλ , g2µ g3θ (c2 d2ξ )η hλ LAKE | Horst Görtz Institute for IT-Security | PKC 2013 Verifiability of the LCS = u1κ u2µ u3θ v η (e/M)λ hpr1 hps2 16/26 Advanced Languages § (Linear) Cramer-Shoup Encryption § Commitment of a commitment (U = u a , V = v s , G = hs g a ) hp : u η g λ , v θ hλ LAKE | Horst Görtz Institute for IT-Security | PKC 2013 ELin hpa1 hps2 = UηV θG λ 16/26 Advanced Languages § (Linear) Cramer-Shoup Encryption § Commitment of a commitment § Linear Pairing Equations Y Y e(Yi , Ak,i ) · Zi Zk,i = Dk i∈Ak i∈Bk For each variables: hpi : u κi g λ , v µi g λ Q Q Zk,i wi wi = i∈Ak e(hpi , Ak,i ) · i∈Bk HPi Q Q Zk,i /D λ i∈Ak e(Hi , Ak,i ) · i∈Bk Hi k Knowledge of a secret key, Knowledge of a (secret) signature on a (secret) message valid under a (secret) verification key, . . . LAKE | Horst Görtz Institute for IT-Security | PKC 2013 16/26 Commitment à la Lindell Alice C, C 0 [Lin11] Bob = DCS(M, 1; α), π = Ped (C 0 , t, M) z = α1 + α2 C, π $ −−−−−−−−−−−−−−−→ ← Znp , , hp ←−−−−−−−−−−−−−−− hpi = g1µi g2νi hλi (cd ξ )θi t, C 0 −−−−−−−−−−−−−−−→ LAKE | Horst Görtz Institute for IT-Security | PKC 2013 17/26 Commitment à la Lindell Alice C, C 0 [Lin11] Bob = DCS(M, 1; α), π = Ped (C 0 , t, M) z = α1 + α2 C, π $ −−−−−−−−−−−−−−−→ ← Znp , , hp ←−−−−−−−−−−−−−−− hpi = g1µi g2νi hλi (cd ξ )θi t, C 0 −−−−−−−−−−−−−−−→ hpz , M −−−−−−−−−−−−−−−→ LAKE | Horst Görtz Institute for IT-Security | PKC 2013 Hash(C C 0 , M, hk) 17/26 § Self-Randomizable Language LAKE | Horst Görtz Institute for IT-Security | PKC 2013 18/26 § Self-Randomizable Language § Double-Step PD-CCA Commitment LAKE | Horst Görtz Institute for IT-Security | PKC 2013 18/26 § Self-Randomizable Language § Double-Step PD-CCA Commitment § Implicit Decommitment LAKE | Horst Görtz Institute for IT-Security | PKC 2013 18/26 Outline 1 Introduction 2 Building Blocks 3 Language Authenticated Key Exchange General Instantiation Secret Handshakes Password Authenticated Key Exchange 4 Conclusion Language Authenticated Key Exchange Alice Bob C(LB , L0A , MB ), π(C 0 ) −−−−−−−−−−−−−−−→ C(L0 , LA , MA ), hpB , ←−−B−−−−−−−−−−−−− hpA , C 0 (1, 1, 1) −−−−−−−−−−−−−−−→ HB · HA0 HB0 · HA Same value iff languages are as expected, and users know witnesses. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 20/26 Secret Handshakes for the same secret signing authority Alice Bob 0 C(L(σ, vkA , idB ), L(σ, vkA , idA ), σ(A)), π(C ) −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ C(L(σ, vkB , idB ), L(σ, vkB , idA ), σ(B)), hpB , ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− hpA , C 0 (1, 1, 1) −−−−−−−−−−−−−−−→ HB · HA0 HB0 · HA Ciphertext of a Waters Signature valid under the committed vk: e(σ1 , g ) = e(h, vk) · e(id∗ , σ2 ) LAKE | Horst Görtz Institute for IT-Security | PKC 2013 21/26 Password Authenticated Key Exchange Alice Bob C(pwB ), π(C 0 ) −−−−−−−−−−−−−−−→ C(pwA ), hpB , ←−−−−−−−−−−−−−−− hpA , C 0 (1) −−−−−−−−−−−−−−−→ HB · HA0 HB0 · HA Share a common session key iff they possess the same password. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 22/26 Password Authenticated Key Exchange Alice Bob rA rA rA ξA rA u , v , pwB h , (cd ) −−−−−−−−−−−−−−−−−−→ 0 g t k Hash(CA ) pw hrB , g rB ←−−−−−A−−−−−−−−−− hpB : u λB v µB hηB (cd ξA )θB , CA0 = (u sA , v sA , hsA , (cd ξA )sA ) −−−−−−−−−−−−−−−−−−−−−→ t, hpA : g λA hηA hkA · hpsBA +rA CB,−pw A LAKE | Horst Görtz Institute for IT-Security | PKC 2013 hkB ∗ hprAB · CA,−pw B 23/26 Outline 1 Introduction 2 Building Blocks 3 Language Authenticated Key Exchange 4 Conclusion Extensions and Open Questions X We presented a general Framework to instantiate several AKE protocols. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 25/26 Extensions and Open Questions X We presented a general Framework to instantiate several AKE protocols. X This allows to produce efficient UC instantiations under classical assumptions (DDH,DLin,...) LAKE | Horst Görtz Institute for IT-Security | PKC 2013 25/26 Extensions and Open Questions X We presented a general Framework to instantiate several AKE protocols. X This allows to produce efficient UC instantiations under classical assumptions (DDH,DLin,...) X Concrete examples for PAKE, v-PAKE, several Secret Handshakes, CAKE, . . . LAKE | Horst Görtz Institute for IT-Security | PKC 2013 25/26 Extensions and Open Questions X We presented a general Framework to instantiate several AKE protocols. X This allows to produce efficient UC instantiations under classical assumptions (DDH,DLin,...) X Concrete examples for PAKE, v-PAKE, several Secret Handshakes, CAKE, . . . X New manageable languages with SPHF implicit proofs of knowledge LAKE | Horst Görtz Institute for IT-Security | PKC 2013 25/26 Extensions and Open Questions X We presented a general Framework to instantiate several AKE protocols. X This allows to produce efficient UC instantiations under classical assumptions (DDH,DLin,...) X Concrete examples for PAKE, v-PAKE, several Secret Handshakes, CAKE, . . . X New manageable languages with SPHF implicit proofs of knowledge X Several new tools: multi-commitment on CS, revisited commitment à la Lindell, . . . LAKE | Horst Görtz Institute for IT-Security | PKC 2013 25/26 Many thanks for your attention! Any questions? More details are available in the full version. . . LAKE | Horst Görtz Institute for IT-Security | PKC 2013