efficient uc secure authenticated key exchange for
play

Efficient UC-Secure Authenticated Key-Exchange for Algebraic - PowerPoint PPT Presentation

Jan 16, 2024 •458 likes •914 views

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben Hamouda Olivier Blazy Cline Chevalier David Pointcheval Damien Vergnaud Horst Grtz Institute for IT Security / Ruhr-University Bochum ENS /

  1. Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben Hamouda Olivier Blazy Céline Chevalier David Pointcheval Damien Vergnaud Horst Görtz Institute for IT Security / Ruhr-University Bochum ENS / CNRS / INRIA / Université Panthéon-Assas

  2. 1 Introduction LAKE | Horst Görtz Institute for IT-Security | PKC 2013 2/26

  3. 1 Introduction 2 Building Blocks LAKE | Horst Görtz Institute for IT-Security | PKC 2013 2/26

  4. 1 Introduction 2 Building Blocks 3 Language Authenticated Key Exchange LAKE | Horst Görtz Institute for IT-Security | PKC 2013 2/26

  5. 1 Introduction 2 Building Blocks 3 Language Authenticated Key Exchange 4 Conclusion LAKE | Horst Görtz Institute for IT-Security | PKC 2013 2/26

  6. Outline 1 Introduction 2 Building Blocks 3 Language Authenticated Key Exchange 4 Conclusion

  7. Authenticated Key Exchange Alice Bob − − − − − − − − − − − − − − − → ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − → K AB Share a common session key iff everything goes well. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 4/26

  8. Password Authenticated Key Exchange [BM92] Alice Bob − − − − − − − − − − − − − − − → ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − → pw A pw B Share a common session key iff they possess the same password. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 5/26

  9. Secret Handshakes [BDSS03] Alice Bob − − − − − − − − − − − − − − − → ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − → σ A σ B Share a common session key iff their signatures fit. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 6/26

  10. Credential Authenticated Key Exchange [CCGS10] Alice Bob − − − − − − − − − − − − − − − → ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − → Cred ( A ) Cred ( B ) Share a common session key iff they possess the required credentials. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 7/26

  11. Language Authenticated Key Exchange Alice Bob − − − − − − − − − − − − − − − → ← − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − → w A w B Share a common session key iff their (words/languages) fit. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 8/26

  12. Outline 1 Introduction 2 Building Blocks Cramer Shoup Encryption Revisited Smooth Projective Hash Functions and their language Manageable Languages 3 Language Authenticated Key Exchange 4 Conclusion

  13. Cramer Shoup Encryption Definition [CS02] § Setup ( 1 λ ) : Generates a multiplicative group ( p , G , g 1 , g 2 ) . $ ← Z 6 § EKeyGen E ( param ) : dk = ( µ 1 , 2 , ν 1 , 2 , η 1 , 2 ) p , pk = ( c = g µ 1 1 g µ 2 2 , h = g η 1 1 g η 2 2 , d = g ν 1 1 g ν 2 2 ) . $ § Encrypt ( pk , M ; α ) : For M , and α ← Z p , defines C = CS ( M ; α ) as � u = ( g α 1 , g α 2 ) , e = Mh α , v = ( cd ξ ) α � . ξ = Hash ( u , e ) § Decrypt ( dk = ( µ, ν, η ) , C = ( u , e , v )) : If v = � u µ i + ξν i , then M = e · � u − η i . i i IND-CCA under DDH LAKE | Horst Görtz Institute for IT-Security | PKC 2013 10/26

  14. Double Cramer Shoup Encryption Definition § Setup ( 1 λ ) : Generates a multiplicative group ( p , G , g 1 , g 2 ) . § EKeyGen E ( param ) : dk $ ← Z 6 p , pk. § Encrypt 1 ( pk , M ; α ) : C = CS ( M ; α ) . ← Z p , defines C ′ = CS ′ ( N , ξ ; α ) $ § Encrypt 2 ( pk , N , ξ ; α ′ ) : For N , and α as u ′ = ( g α ′ 2 ) , e ′ = Mh α ′ , v ′ = ( cd ξ ) α ′ � 1 , g α ′ � . § Decrypt ( dk = ( µ, ν, η ) , C = ( u , e , v ) , C ′ ) : If v = � u µ i + ξν i , then M = e · � u − η i . i i If v ′ = � u ′ µ i + ξν i , then N = e ′ · � u ′ − η i . i i IND-PD-CCA under DDH (IND-CCA on CS, IND-CPA on CS’) LAKE | Horst Görtz Institute for IT-Security | PKC 2013 11/26

  15. Multi Double Cramer Shoup Encryption Definition § Setup ( 1 λ ) : Generates a multiplicative group ( p , G , g 1 , g 2 ) . § EKeyGen E ( param ) : dk $ ← Z 6 p , pk. § Encrypt 1 ( pk , M ; α ) : C = CS ( M ; α ) , where ξ = Hash ( u , e ) . § Encrypt 2 ( pk , N , ξ ; α ′ ) : C ′ = CS ′ ( N , ξ ; α ′ ) . § Decrypt ( dk = ( µ, ν, η ) , C , C ′ ) : If v = � u i µ i + ξν i , then M = e · � u i − η i . If v ′ = � u ′ µ i + ξν i , then N = e ′ · � u ′ − η i . i i IND-PD-CCA under DDH. LAKE | Horst Görtz Institute for IT-Security | PKC 2013 12/26

  16. Smooth Projective Hash Functions Definition [CS02,GL03] Let { H } be a family of functions: § X , domain of these functions § L , subset (a language) of this domain such that, for any point x in L , H ( x ) can be computed by using § either a secret hashing key hk: H ( x ) = Hash L ( hk ; x ) ; § or a public projected key hp: H ′ ( x ) = ProjHash L ( hp ; x , w ) Public mapping hk �→ hp = ProjKG L ( hk , x ) LAKE | Horst Görtz Institute for IT-Security | PKC 2013 13/26

  17. Properties For any x ∈ X , H ( x ) = Hash L ( hk ; x ) For any x ∈ L , H ( x ) = ProjHash L ( hp ; x , w ) w witness that x ∈ L LAKE | Horst Görtz Institute for IT-Security | PKC 2013 14/26

  18. Properties For any x ∈ X , H ( x ) = Hash L ( hk ; x ) For any x ∈ L , H ( x ) = ProjHash L ( hp ; x , w ) w witness that x ∈ L Smoothness For any x �∈ L , H ( x ) and hp are independent LAKE | Horst Görtz Institute for IT-Security | PKC 2013 14/26

  19. Properties For any x ∈ X , H ( x ) = Hash L ( hk ; x ) For any x ∈ L , H ( x ) = ProjHash L ( hp ; x , w ) w witness that x ∈ L Smoothness For any x �∈ L , H ( x ) and hp are independent Pseudo-Randomness For any x ∈ L , H ( x ) is pseudo-random, without a witness w LAKE | Horst Görtz Institute for IT-Security | PKC 2013 14/26

  20. Properties For any x ∈ X , H ( x ) = Hash L ( hk ; x ) For any x ∈ L , H ( x ) = ProjHash L ( hp ; x , w ) w witness that x ∈ L Smoothness For any x �∈ L , H ( x ) and hp are independent Pseudo-Randomness For any x ∈ L , H ( x ) is pseudo-random, without a witness w The latter property requires L to be a hard-partitioned subset of X : Hard-Partitioned Subset L is a hard-partitioned subset of X if it is computationally hard to distinguish a random element in L from a random element in X \ L LAKE | Horst Görtz Institute for IT-Security | PKC 2013 14/26

  21. Straightforward Languages § Diffie Hellman / Linear Tuple ( g , h , G = g a , H = h a ) Valid Diffie Hellman tuple? hp a = G κ H λ hp : g κ h λ Oblivious Transfer, Implicit Opening of a ciphertext LAKE | Horst Görtz Institute for IT-Security | PKC 2013 15/26

  22. Straightforward Languages § Diffie Hellman / Linear Tuple ( g , h , G = g a , H = h a ) Valid Diffie Hellman tuple? hp a = G κ H λ hp : g κ h λ Oblivious Transfer, Implicit Opening of a ciphertext ( U = u a , V = v b , W = g a + b ) Valid Linear tuple? hp : u κ g λ , v µ g λ hp a 1 hp b 2 = U κ V µ W λ LAKE | Horst Görtz Institute for IT-Security | PKC 2013 15/26

  23. Straightforward Languages § Diffie Hellman / Linear Tuple § Conjunction / Disjunction L 1 ∩ L 2 Simultaneous verification H ′ 1 · H ′ hp : hp 1 , hp 2 2 = H 1 · H 2 ∧ A i LAKE | Horst Görtz Institute for IT-Security | PKC 2013 15/26

  24. Straightforward Languages § Diffie Hellman / Linear Tuple § Conjunction / Disjunction L 1 ∪ L 2 One out of 2 conditions H ′ = L 1 ? hp w 1 : hp w 2 2 · hp ∆ = X hk 1 hp = hp 1 , hp 2 , hp ∆ 1 1 Is it a bit? LAKE | Horst Görtz Institute for IT-Security | PKC 2013 15/26

  25. Advanced Languages § (Linear) Cramer-Shoup Encryption ( u 1 = g r 1 , u 2 = g r 2 , e = h r M , v = ( cd ξ ) r ) Verifiability of the CS hp r = u κ 1 g µ 1 u µ hp : g κ 2 ( cd ξ ) η h λ 2 v η ( e / M ) λ Implicit Opening of a ciphertext, verifiability of a ciphertext, PAKE LAKE | Horst Görtz Institute for IT-Security | PKC 2013 16/26

  26. Advanced Languages § (Linear) Cramer-Shoup Encryption ( u 1 = g r 1 , u 2 = g r 2 , e = h r M , v = ( cd ξ ) r ) Verifiability of the CS hp r = u κ 1 g µ 1 u µ hp : g κ 2 ( cd ξ ) η h λ 2 v η ( e / M ) λ Implicit Opening of a ciphertext, verifiability of a ciphertext, PAKE 2 , g r + s 2 M , ( c 1 d ξ 1 ) r ( c 2 d ξ ( g r 1 , g s , h r 1 h s 2 ) s ) Verifiability of the LCS 3 3 ( c 1 d ξ 1 ) η h λ , g µ 3 ( c 2 d ξ 1 u µ hp : g κ 1 g θ 2 g θ 2 ) η h λ hp r 1 hp s 2 = u κ 2 u θ 3 v η ( e / M ) λ LAKE | Horst Görtz Institute for IT-Security | PKC 2013 16/26

  27. Advanced Languages § (Linear) Cramer-Shoup Encryption § Commitment of a commitment ( U = u a , V = v s , G = h s g a ) ELin hp : u η g λ , v θ h λ hp a 1 hp s 2 = U η V θ G λ LAKE | Horst Görtz Institute for IT-Security | PKC 2013 16/26

Recommend

Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng

Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng

Strongly Secure One-Round GAKE Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng Yang Ruhr-University Bochum CANS 2013 1 / 40 Introduction, Motivation and Contributions GAKE Security Model

515 views • 50 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

Diffie-Hellman key exchange Secure against passive eavesdropping but insecure against a man-in-the-middle attack CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1 2 Adding key

492 views • 5 slides
Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen 1 Tibor Jager 2 NTNU - Norwegian University of Science and Technology, Trondheim, Norway, kristian.gjosteen@ntnu.no Paderborn University, Paderborn,

360 views • 34 slides
Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides
Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data

Secure and Efficient Access to Outsourced Data Secure and Efficient Access to Outsourced Data Weichao Wang, Zhiwei Li, Rodney Owens, Bharat Bhargava CCSW 2009: The ACM Cloud Computing Security Workshop 1 The Problem Providing secure and

414 views • 19 slides
Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory Jean-Christophe Deneuville < jean-christophe.deneuville@xlim.fr > June the 26 th , 2017 PQCrypto 17 Utrecht Joint work with: P. Gaborit G. Z

1.54k views • 84 slides
PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable

PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable

PURPOSE Mission - to support, promote, and encourage the exchange of secure and reliable health information among stakeholders and regional networks Vision to develop a framework for the efficient exchange of patient-centric health

478 views • 21 slides
Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung

Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung

Secure Information Exchange for Secure Information Exchange for Omniscience Omniscience Chung Chan (CityU) Joint work with Navin Kashyap (IISc), Praneeth Kumar Vippathalla, (IISc) and Qiaoqiao Zhou (CUHK) Audio slides:

443 views • 17 slides
Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai

Learning with Errors Classic Key Exchange Lattice-based Key Exchange Authenticated Key Exchange from Ring Learning with Errors Jiang Zhang Zhenfeng Zhang Jintai Ding Michael Snook zgr Dagdelen DIMACS Workshop on the Mathematics of

339 views • 33 slides
A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval

A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval

A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval cole normale suprieure & CNRS Joint work with: Michel Abdalla Authenticated Key Exchange (AKE) Goal: Secure channel Allows two parties

283 views • 12 slides
Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk, Sebastian Lauer Ruhr-University Bochum Classical Key Exchange Setting m1 Bob Alice m2 skA skB pkB pkA mq-1 mq derive K derive K 2

185 views • 18 slides
Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on

Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on

Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy ibenik, Croatia June 17 th , 2019 Outline Security of the Diffie-Hellman Key Exchange Man-in-the-Middle attacks

1.09k views • 85 slides
Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Introduction Motivation Specification for Beetle Hardware Implementation Results of Beetle Conclusions Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 , Nilanjan Datta 2 , Mridul Nandi 3 and Kan

614 views • 32 slides
Authenticated Encryption in SSH Kenny Paterson Information Security Group @kennyog;

Authenticated Encryption in SSH Kenny Paterson Information Security Group @kennyog;

Authenticated Encryption in SSH Kenny Paterson Information Security Group @kennyog; www.isg.rhul.ac.uk/~kp Overview (both lectures) Secure channels and their properties AEAD (revision) AEAD secure channel the [APW09] attack

1.63k views • 72 slides
Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message

Simple and Communication Complexity Efficient Almost Secure and Perfectly Secure Message Transmission Schemes Yvo Desmedt 1 , 2 Stelios Erotokritou 1 Reihaneh Safavi-Naini 3 1 Department of Computer Science University College London, UK 2

459 views • 33 slides
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

319 views • 14 slides
-Tree: A Gas-Efficient Structure for Authenticated Range Queries in Blockchain

-Tree: A Gas-Efficient Structure for Authenticated Range Queries in Blockchain

-Tree: A Gas-Efficient Structure for Authenticated Range Queries in Blockchain Ce Zhang, Cheng Xu, Jianliang Xu, Yuzhe Tang, Byron Choi Hong Kong Baptist University, Hong Kong Syracuse University, NY, USA Introduction Source:

693 views • 34 slides
Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE

Secure Returns SAFE AS A VAULT Secure SECONDS TO UPLOAD Efficient ACCESSIBLE ANYWHERE Convenient What is Secure Returns ? Secure Returns is a secure website where you and your clients can securely upload & download confidential

202 views • 9 slides
Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier Chevassut Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Key Agreement and

299 views • 19 slides
Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure

Secure and Efficient Metering Discussion Outline Clarifications Attack on Secure Metering Issues and Extensions Real World Other Directions Metering for General Access Structures Understanding the model Audit Agency

480 views • 35 slides
AUTHENTICATED AND EFFICIENT KEY MANAGEMENT FOR WIRELESS AD HOC NETWORKS Stefaan Seys and Bart

AUTHENTICATED AND EFFICIENT KEY MANAGEMENT FOR WIRELESS AD HOC NETWORKS Stefaan Seys and Bart

1 / 8 AUTHENTICATED AND EFFICIENT KEY MANAGEMENT FOR WIRELESS AD HOC NETWORKS Stefaan Seys and Bart Preneel Katholieke Universiteit Leuven, ESATSCD/COSIC Kasteelpark Arenberg 10, B3001 Heverlee, Belgium { Stefaan.Seys, Bart.Preneel }

194 views • 8 slides
IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based Authenticated Key Exchange Authenticated Key Exchange Dario Catalano David Pointcheval Password-based CNRS-ENS France Authenticated Key

291 views • 5 slides
MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and

MRA and SPAA Secure Communications The Secure Data Exchange Portal (SDEP) Jonathan Hawkins and Neil Brinkley Background The MRA and SPAA require that Suppliers and Networks Operators work together to resolve a number of issues that may arise

975 views • 28 slides
ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline:

ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline:

ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline: Context Description of ALIKE Generic description Full specification Security properties Chip Unforgeability and Channel Secrecy Underlying

400 views • 21 slides

More recommend