Hash Proof Systems and Password Protocols III SPHF-based PAKE - PDF document

Hash Proof Systems and Password Protocols III – SPHF-based PAKE David Pointcheval CNRS, Ecole normale sup´ erieure/PSL & INRIA 8th BIU Winter School – Key Exchange February 2018 CNRS/ENS/PSL/INRIA David Pointcheval 1/53 Intuition of PAKE with a Commitment We denote L pw the language of the commitments of pw Alice sends C A , a commitment of pw A , to Bob (no leakage: hiding property) Bob can ask to verify that C A ∈ L pw B : Bob sends hp B to Alice, and computes H A ← Hash ( hk B , C A ) Alice can compute pH A ← ProjHash ( hp , C A , w A ) H A = pH A ⇐ ⇒ pw A = pw B Security: If pw B � = pw A , H A is perfectly unpredictable to Alice (smoothness) For a non-trivial language, the commitment must be perfectly binding e.g., ElGamal encryption: C A = ( g r , h r × g pw A ) CNRS/ENS/PSL/INRIA David Pointcheval 2/53 SPHF-based PAKE: First Attempt X = G 2 and L pw = { ( g r , h r × g pw ) } Alice sends C A = ( u = g r , e = h r × g pw A ) to Bob ← Z p and sends hp ← g α h β $ Bob generates hk = ( α, β ) � Bob computes H ← u α ( e / g pw B ) β H A = pH A = g α r h β r ⇐ ⇒ pw A = pw B Alice computes pH ← hp r Security: If pw B � = pw A , H is perfectly unpredictable to Alice (smoothness) C A does not leak pw A under the DDH assumption From the view of pH (Reveal-query), Bob can look for pw such that u α ( e / g pw ) β = pH = ⇒ Off-line dictionary attack! CNRS/ENS/PSL/INRIA David Pointcheval 3/53

SPHF-based PAKE We denote L pw the language of the commitments of pw Alice sends C A , a commitment of pw A , to Bob (no leakage: hiding property) Bob can ask to verify that C A ∈ L pw B : Bob sends hp B to Alice, and computes H A ← Hash ( hk B , C A ) Alice can compute pH A ← ProjHash ( hp , C A , w A ) H A = pH A ⇐ ⇒ pw A = pw B Bob must also prove his knowledge of pw B = pw A before having access to pH Either with an implicit proof [Gennaro–Lindell – Eurocrypt ’03] Or with an explicit proof [Groce-Katz – CCS ’10] CNRS/ENS/PSL/INRIA David Pointcheval 4/53 Outline Introduction 1 Game-based Security Gennaro-Lindell PAKE Groce-Katz PAKE Improvements Universal Composability 2 UC-Secure PAKE: Static Corruptions UC-Secure PAKE: Adaptive Corruptions Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 5/53 Outline Introduction Game-based Security 1 Gennaro-Lindell PAKE Groce-Katz PAKE Improvements Universal Composability 2 UC-Secure PAKE: Static Corruptions UC-Secure PAKE: Adaptive Corruptions Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 6/53

Outline Introduction Game-based Security 1 Gennaro-Lindell PAKE Groce-Katz PAKE Improvements Universal Composability 2 UC-Secure PAKE: Static Corruptions UC-Secure PAKE: Adaptive Corruptions Conclusion CNRS/ENS/PSL/INRIA David Pointcheval 7/53 SPHF-based PAKE: Implicit Proof We denote L A / L B the languages of the commitments of pw A / pw B Alice sends C A , a commitment of pw A , to Bob Bob can ask to verify that C A ∈ L B : Bob sends hp B to Alice, and computes H A ← Hash B ( hk B , C A ) Alice can compute pH A ← ProjHash A ( hp B , C A , w A ) Bob sends C B , a commitment of pw B , to Alice Alice can ask to verify that C B ∈ L A : Alice sends hp A to Bob, and computes H B ← Hash A ( hk A , C B ) Bob can compute pH B ← ProjHash B ( hp A , C B , w B ) Bob computes K B ← H A ⊕ pH B Alice computes K A ← pH A ⊕ H B K B = H A ⊕ pH B = pH A ⊕ H B = K A ⇐ ⇒ pw A = pw B CNRS/ENS/PSL/INRIA David Pointcheval 8/53 SPHF-based PAKE: Man-In-The-Middle Attack X = G 2 and L pw = { ( g r , h r × g pw ) } Alice sends C A = ( u A = g r A , e A = h r A × g pw A ) to Bob ← Z p and sends hp B ← g α B h β B $ Bob generates hk B = ( α B , β B ) Bob sends C B = ( u B = g r B , e B = h r B × g pw B ) to Alice $ ← Z p and sends hp A ← g α A h β A Alice generates hk A = ( α A , β A ) Alice computes K A ← u α A B · ( e B / g pw A ) β A × hp r A � B K A = K B ⇐ ⇒ pw A = pw B Bob computes K B ← hp r B A × u α B A · ( e A / g pw B ) β B The adversary can do a man-in-the-middle attack: forwards everything excepted C B to Alice, that is replaced by C ′ B = C B × ( g , h ) A = u α A B g α A · ( e B / g pw A ) β A h β A × hp r A B = K A × g α A h β A = K B × hp A K ′ CNRS/ENS/PSL/INRIA David Pointcheval 9/53

SPHF-based PAKE: Man-In-The-Middle Attack From the man-in-the-middle attack: the adversary can ask for a Reveal-query to Alice the adversary can ask for a Test-query to Bob (the session ID’s are different) the adversary can check the relation between the keys to decide on b ′ The commitment C B must be non-malleable or confirmed to Bob CNRS/ENS/PSL/INRIA David Pointcheval 10/53 GL-PAKE [Gennaro-Lindell – Eurocrypt ’03] Alice Bob C A $ $ r A ← $; C A ← Enc ( pw A , r A ) hk B ← HashKG (); hp B ← ProjKG ( hk B ) H A ← Hash B ( hk B , C A ) hp B , C B $ ← $; C B ← Enc ′ ( pw B , r B ) pH A ← ProjHash A ( hp B , C A , r A ) r B $ hk A ← HashKG (); hp A ← ProjKG ( hk A ) hp A H B ← Hash A ( hk A , C B ) pH B ← ProjHash B ( hp A , C B , r B ) K A ← H B × pH A K B ← pH B × H A Which are the security properties of the encryption schemes ? CNRS/ENS/PSL/INRIA David Pointcheval 11/53 GL-PAKE: Security Proof Send-queries to Bob: Oracle-Generated C A with pw A = pw B = pw Alice Bob C A $ $ r A ← $; C A ← Enc ( pw , r A ) hk B ← HashKG (); hp B ← ProjKG ( hk B ) H A ← Hash ( hk B , C A ) /////////////////////////// hp B , C B $ pH A ← ProjHash ( hp B , C A , r A ) r B ///////////////////////////////// ← $; C B ← Enc ′ ( pw , r B ) C B ← Enc ′ ($ , $) $ hk A ← HashKG (); hp A ← ProjKG ( hk A ) hp A H B ← Hash ( hk A , C B ) pH B ← ProjHash ( hp A , C B , r B ) ///////////////////////////////////// pH B ← H B K A ← H B × pH A K B ← pH B × H A //////////////////// K B ← K A Oracle-generated C A should imply oracle-generated hp A Correctness Oracle-generated hp A should confirm hp B : Correctness IND-CPA CNRS/ENS/PSL/INRIA David Pointcheval 12/53

GL-PAKE: Security Proof Send-queries to Bob: Oracle-Generated C A with pw A � = pw B Alice Bob C A $ $ r A ← $; C A ← Enc ( pw A , r A ) hk B ← HashKG (); hp B ← ProjKG ( hk B ) //////////////////////////// H A ← Hash B ( hk B , C A ) hp B , C B $ pH A ← ProjHash A ( hp B , C A , r A ) r B ///////////////////////////////// ← $; C B ← Enc ′ ( pw , r B ) C B ← Enc ′ ($ , $) $ hk A ← HashKG (); hp A ← ProjKG ( hk A ) hp A H B ← Hash A ( hk A , C B ) /////////////////////////////////////// pH B ← ProjHash B ( hp A , C B , r B ) K A ← H B × pH A K B ← pH B × H A //////////////////// K A ← $ Smoothness IND-CPA CNRS/ENS/PSL/INRIA David Pointcheval 13/53 GL-PAKE: Security Proof Send-queries to Bob: Non Oracle-Generated C A Bob C A Dec ( C A ) ? = pw B : STOP&WIN $ hk B ← HashKG (); hp B ← ProjKG ( hk B ) H A ← Hash B ( hk B , C A ) //////////////////////////// hp B , C B ← $; C B ← Enc ′ ( pw , r B ) $ C B ← Enc ′ ($ , $) r B ///////////////////////////////// hp A /////////////////////////////////////// pH B ← ProjHash B ( hp A , C B , r B ) K B ← pH B × H A //////////////////// K B ← $ The adversary must encrypt the correct password: password-guessing probability Smoothness IND-CPA CNRS/ENS/PSL/INRIA David Pointcheval 14/53 GL-PAKE: Security Proof Send-queries to Alice: Oracle-Generated C B Oracle-Generated C A Alice Bob C A $ $ r A ← $; C A ← Enc ( pw A , r A ) hk B ← HashKG (); hp B ← ProjKG ( hk B ) hp B , C B pH A ← ProjHash A ( hp B , C A , r A ) ////////////////////////////////////// C B ← Enc ′ ($ , $) hp A $ hk A ← HashKG (); hp A ← ProjKG ( hk A ) If pw A = pw B , K B ← K A H B ← Hash A ( hk A , C B ) //////////////////////////// If pw A � = pw B , K B ← $ $ K A ← $ K A ← H B × pH A //////////////////// Non Oracle-Generated C A Bob C A Dec ( C A ) ? = pw B : STOP&WIN Smoothness $ hk B ← HashKG (); hp B ← ProjKG ( hk B ) hp B , C B C B ← Enc ′ ($ , $) hp A K B ← $ CNRS/ENS/PSL/INRIA David Pointcheval 15/53