A Scalable Password-based Group Key Exchange Protocol in the - PDF document

A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval École normale supérieure & CNRS Joint work with: Michel Abdalla Authenticated Key Exchange (AKE) Goal: Secure channel � Allows two parties to establish a common secret in an authenticated way � Intuitive goal: implicit authentication – The session key should only be known to the parties involved in the protocol � Formally: semantic security – the session key should be indistinguishable from a random string A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Diffie-Hellman Protocol Let G be a group in which the DDH problem is hard and let g be a generator for G Alice Bob sk A � {0,…,| G |-1} sk B � {0,…,| G |-1} pk A � g sk A pk B � g sk B pk A pk B pk B sk = g sk sk = pk A sk B A A B Protocol does NOT provide authentication A Scalable Password-based Group Key Exchange Protocol in the Standard Model Authentication Techniques � Asymmetric techniques – Assume the existence of a public-key infrastructure – Each party holds a pair of secret and public keys � Symmetric techniques – Users share a random secret key – 2-party or 3-party settings � Password-based techniques – Consider the case of weak secrets (e.g., a 4-digit PIN) A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Group Password-based AKE (GPAKE) � Scenario Similar to the 2-party case, except that … – Number of protocol participants is variable – Password is shared among all participants – Session key is shared among all participants � Security goal – Similar to the 2-party case : Indistinguishability Allows a pool of users to established a common session key with only the help of passwords A Scalable Password-based Group Key Exchange Protocol in the Standard Model Communication Model � Users can have many protocol instances running concurrently � Communication controlled by the adversary – Adversary can create, modify, or forward messages – The transmission of messages is done via specific oracle queries A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Previous Work on GPAKE � [BressonChevassutP02] : – Group Diffie-Hellman password-based key exchange – Linear number of rounds – Security in the ROM and ICM A Scalable Password-based Group Key Exchange Protocol in the Standard Model

� � The Burmester-Desmedt GKE (BD94) P 1 P i P N x 1 � Z p x i � Z p x N � Z p X 1 � g x 1 X i � g xi X N � g x N X 1 X i X N K 1 � X 2 K N � X 1 x 1 K i � X i +1 x N xi K N � X N K N-1 � X N-1 K i -1 � X i -1 x 1 x N xi Z 1 � K 1 / K N Z N � K N / K N-1 Z i � K i / K i -1 Z 1 Z i Z N SK � K 1 � K 2 � � � K N Protocol does NOT provide authentication A Scalable Password-based Group Key Exchange Protocol in the Standard Model Adding Password Authentication Ideal Cipher Model � EKE approach – Encrypt all flows using the password pw – In both and X i = � pw (X i ) and Z i = � pw (Z i ) � Problem – In the BD protocol, Z 1 � Z 2 � � � Z N = 1 – Dictionary attack: Guess password pw � Compute Z i = D pw ( Z i ) for i =1, � ,N � Check if Z 1 � Z 2 � � � Z N = 1 � A provably secure approach: [AbdallaBressonChevassutP06] – Encrypt only the first round of the BD protocol With a key that depends on the password but also the session ID and the party ID A Scalable Password-based Group Key Exchange Protocol in the Standard Model

� � The Burmester-Desmedt GKE A Generic Version From any key exchange protocol KE: P i -1 P i P i +1 KE KE K i K i -1 K i -1 K i Z i -1 � K i -1 / K i -2 Z i � K i / K i -1 Z i +1 � K i +1 / K i Z i -1 Z i Z i +1 SK � K 1 � K 2 � � � K N A Scalable Password-based Group Key Exchange Protocol in the Standard Model A GPAKE in the Standard Model Intuition � Run an instance of the PAKE protocol between any two consecutive users – so that it generates 2 pairwise keys � Each user should authenticate its predecessor and successor (using one of the pairwise keys) � Use the 2 other pairwise keys to generate group session key (Burmester-Desmedt) � Signatures authenticate the transcript of all messages that were broadcast in previous rounds, and that have to be linked together A Scalable Password-based Group Key Exchange Protocol in the Standard Model

A GPAKE in the Standard Model Outline P i -1 P i P i +1 PAKE PAKE K R i -1 , K i K R i , K i +1 K R i -1 , K i K R i , K i +1 Authentication of P i +1 test R i � UH(K R i ) test R i Authentication of P i -1 test L i � UH’(K R i -1 ) X i � K i +1 / K i Burmester-Desmedt test L i , X i Link all the flows � i SK � UH’’(K 1 � K 2 � � � K N ) A Scalable Password-based Group Key Exchange Protocol in the Standard Model Smooth Projective Hash Functions [Gennaro-Lindell’s variant] � Hash key generation: hk = HK(pk) – pk – public encryption key, hk – hashing key � Projected key generation: hp = � (hk, c) – hk – hashing key, hp – projected key, c = E(pk,m;r) – ciphertext � Hashing algorithm: H (hk, m, c) � G – m – message, c = E(pk,m;r) – ciphertext, hk – hashing key � Projected hashing algorithm: h = h(hp, m, c; r) – hp – projected key, r – random coins, c = E(pk,m;r) A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Smooth Projective Hash Functions Security Properties � Correctness: – If c = E(pk,m;r), then (m,c,hp = � (hk, c)) uniquely determines H(hk,m,c) – When c = E(pk,m;r), then H(hk,m,c) can be computed efficiently given r h(hp,m,c; r) = H(hk,m,c) ( statistically ) � Smoothness: – If c is not an encryption of m, then (m, c, hp) gives no information on H(hk,m,c) � Pseudo-randomness : ( computationally ) – When c=E(pk,m;r) and hp= � (hk,c), then H(hk,m,c) is pseudo-random given (m,c,hp) A Scalable Password-based Group Key Exchange Protocol in the Standard Model The Gennaro-Lindell Construction Alice Bob Alice, vk R , c R sk R , vk R � Sig-KG c R � E pk (pw �� vk R ; r R ) sk L , vk L � Sig-KG hk L � hashKey hp L � � (hk L , c R , vk R ) Bob, hp L , vk L , c L c L � E pk (pw �� vk L ; r L ) hk R � hashKey hp R � � (hk R , c L , vk L ) hp R , � R � R � Sign(sk R ,Transcript) � L � Sign(sk L ,Transcript) � L K R � H hkL (pw, vk R , c R ) K L � H hkR (pw, vk L , c L ) K L � h hpR (pw, c L , vk L ; r L ) K R � h hpL (pw, c R , vk R ; r R ) SK � K L � K R A Scalable Password-based Group Key Exchange Protocol in the Standard Model

The Gennaro-Lindell Construction Alice Bob Alice, vk R , c R sk R , vk R � Sig-KG c R � E pk (pw �� vk R ; r R ) sk L , vk L � Sig-KG hk L � hashKey hp L � � (hk L , c R , vk R ) Bob, hp L , vk L , c L c L � E pk (pw �� vk L ; r L ) hk R � hashKey hp R � � (hk R , c L , vk L ) hp R , � R � R � Sign(sk R ,Transcript) � L � Sign(sk L ,Transcript) � L K R � H hkL (pw, vk R , c R ) K L � H hkR (pw, vk L , c L ) K L � h hpR (pw, c L , vk L ; r L ) K R � h hpL (pw, c R , vk R ; r R ) SK � K L � K R A Scalable Password-based Group Key Exchange Protocol in the Standard Model The Gennaro-Lindell Construction Alice Bob Alice, vk R , c R sk R , vk R � Sig-KG c R � E pk (pw �� vk R ; r R ) sk L , vk L � Sig-KG hk L � hashKey hp L � � (hk L , c R , vk R ) Bob, hp L , vk L , c L c L � E pk (pw �� vk L ; r L ) hk R � hashKey hp R � � (hk R , c L , vk L ) hp R , � R � R � Sign(sk R ,Transcript) � L � Sign(sk L ,Transcript) � L K R � H hkL (pw, vk R , c R ) K L � H hkR (pw, vk L , c L ) K L � h hpR (pw, c L , vk L ; r L ) K R � h hpL (pw, c R , vk R ; r R ) SK � K L � K R A Scalable Password-based Group Key Exchange Protocol in the Standard Model

A Scalable Password-based Group Key Exchange Protocol in the - PDF document

A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval cole normale suprieure & CNRS Joint work with: Michel Abdalla Authenticated Key Exchange (AKE) Goal: Secure channel Allows two parties

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

G-PBFT: A Location-based and Scalable Consensus Protocol for IoT-Blockchain Applications

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

CCTCP: A Scalable Receiver-driven Congestion Control Protocol for Content Centric Networking

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

FPAKE: Fuzzy Password- Authen6cated Key Exchange Sophia

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory

SWIM: S calable W eakly-consistent I nfection-style Process Group M embership Protocol Das, A.,

: Group Key Agreement API based on CLIQUES protocol suite CLQ_API Formation Member add Member

Multicast Protocols IGMP - IP Group Membership Protocol DVMRP - DV Multicast Routing Protocol

SCNP: A protocol for automatic, decentralized and scalable IP network configuration T. Delaet

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Risk Management System based on FIX protocol CSEE 4840 Final Report Kaixi Ji (kj2330) Modi Yan

1 Connection Establishment Data Exchange Clients connect to an SSH server on port Once

Implementation of a robust and scalable consensus protocol for blockchain Raphal Dunant DEDIS

Summary Cache: A Scalable Wide-Area Web Cache Sharing Protocol Li Fan, Pei Cao and Jussara

Example Protocol Layers* Exchange a file over a network that corrupts packets Networks

Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Telling The Time chris.anley@nccgroup.trust The Bug Server generates a time-based: -Password

Question Diffie Hellman Key Exchange protocol that we studied in the last class is used to

Hash Proof Systems and Password Protocols III SPHF-based PAKE David Pointcheval CNRS, Ecole

RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers (Czerny