a generic variant of nist s kas2 key agreement protocol
play

A Generic Variant of NISTs KAS2 Key Agreement Protocol Sanjit - PowerPoint PPT Presentation

Jan 01, 2023 •225 likes •457 views

A Generic Variant of NISTs KAS2 Key Agreement Protocol Sanjit Chatterjee (Joint work with Alfred Menezes and Berkant Ustaoglu) Indian Institute of Science KAS2 Key Agreement Protocol NISTs SP 800-56B [2009] standardizes several

  1. A Generic Variant of NIST’s KAS2 Key Agreement Protocol Sanjit Chatterjee (Joint work with Alfred Menezes and Berkant Ustaoglu) Indian Institute of Science

  2. KAS2 Key Agreement Protocol ◮ NIST’s SP 800-56B [2009] standardizes several RSA-based key establishment schemes. ◮ KAS2-bilateral-confirmation (KAS2) is a three-pass protocol that offers key confirmation. ◮ SP 800-56B describes three other variants of KAS2 and also a two-pass protocol KAS1. ◮ KAS2-bilateral-confirmation protocol offers the most security attributes of the different KAS2 variants. ◮ Most likely to be deployed in applications that wish to be compliant with SP 800-56B. ◮ We focus on this particular version of KAS2.

  3. Our Work ◮ A generic three-pass key agreement protocol based on trapdoor one-way function family. ◮ A security model for the generic protocol. ◮ Specific instantiations: 1. RSA setting: yields the KAS2 protocol. 2. Discrete log setting: yields a new protocol DH2. 3. Hybrid setting: combines RSA and dlog setting to get a new a protocol called KAS2-DH2. ◮ Reductionist security argument in the RSA and discrete log setting.

  4. A Trapdoor One-way Function Family ◮ Let f : Z → Z is from a family of trapdoor one-way functions. 1. f is bijective. 2. ∃ an efficient algorithm that outputs ( X , f ( X )) with X ∈ R Z . 3. Given f ( X ) for X ∈ R Z , it is infeasible to determine X . 4. Given a trapdoor T f , one can efficiently compute X given f ( X ) for X ∈ R Z .

  5. A Trapdoor One-way Function Family ◮ Let f : Z → Z is from a family of trapdoor one-way functions. 1. f is bijective. 2. ∃ an efficient algorithm that outputs ( X , f ( X )) with X ∈ R Z . 3. Given f ( X ) for X ∈ R Z , it is infeasible to determine X . 4. Given a trapdoor T f , one can efficiently compute X given f ( X ) for X ∈ R Z . ◮ f N , e : Z N → Z N defined as f N , e ( m ) = m e mod N . ◮ ( N , e ) is an RSA public key. ◮ The trapdoor is the RSA private key d .

  6. A Trapdoor One-way Function Family ◮ Let f : Z → Z is from a family of trapdoor one-way functions. 1. f is bijective. 2. ∃ an efficient algorithm that outputs ( X , f ( X )) with X ∈ R Z . 3. Given f ( X ) for X ∈ R Z , it is infeasible to determine X . 4. Given a trapdoor T f , one can efficiently compute X given f ( X ) for X ∈ R Z . ◮ f N , e : Z N → Z N defined as f N , e ( m ) = m e mod N . ◮ ( N , e ) is an RSA public key. ◮ The trapdoor is the RSA private key d . ◮ G = � g � : cyclic group of prime order q . ◮ Let a ∈ R Z q , A = g a . ◮ f A : G → G defined as f ( g x ) = A x is a trapdoor one-way function with trapdoor a . ◮ Diffie-Hellman division (DHD) problem: given g , A x , A ∈ G , determine g x .

  7. A Generic Protocol ˆ ˆ X B = f B ( X ) ✲ A , f A B , f B Y A = f A ( Y ) , tag B ✛ T A , X T B , Y tag A ✲ tag A = MAC κ m ( I , ˆ A , ˆ tag B = MAC κ m ( R , ˆ B , ˆ B , X B , Y A ) A , Y A , X B ) ( κ m , κ ) = H ( X , Y , ˆ A , ˆ B , X B , Y A ) ◮ ˆ A ’s static public key is a trapdoor function f A : Z A → Z A , and the corresponding trapdoor data T A is her static private key. ◮ ˆ B ’s static public key is the trapdoor function f B : Z B → Z B and the corresponding trapdoor data T B is his static public key. ◮ MAC is a secure message authentication code algorithm.

  8. Security Model ◮ Static private key of a party is used as a trapdoor to extract the other party’s ephemeral private key. ◮ Session key is the hash of individual ephemeral private keys (and some public information). ◮ We follow the eCK model but take into consideration above features of the protocol. ◮ Definition of fresh session is more restrictive compared to the eCK model. ◮ The model incorporates resistance to KCI attacks (not covered in CK model). ◮ Also covers half-forward secrecy – security of a session key is preserved even if adversary ( M ) learns the static key of one of the parties.

  9. Matching Sessions ◮ Let s = (ˆ A , ˆ B , role , ∗ , ∗ ), where role ∈ {I , R} , ˆ A is the owner and ˆ B is the peer of session s . ◮ Let s be a session with complete session identifier (ˆ A , ˆ B , role A , f B ( X ) , f A ( Y )) where role A ∈ {I , R} . ◮ A session s ∗ with session identifier (ˆ C , ˆ D , role C , f D ( U ) , f C ( V )), where role C ∈ {I , R} , is matching to s if 1. ˆ A = ˆ D and ˆ B = ˆ C , 2. role A � = role C , 3. f B ( X ) = f C ( V ) and f A ( Y ) = f D ( U ). ◮ A session s with incomplete session identifier (ˆ A , ˆ B , I , f B ( X )) is matching to any session s = (ˆ C , ˆ D , R , f D ( U ) , f C ( V )) with ˆ A = ˆ D , C and f B ( X ) = f C ( V ); s ∗ is also matching to s . B = ˆ ˆ

  10. Adversary ◮ The adversary M controls all communications but does not have immediate access to a party’s private information. ◮ To capture possible leakage of private information M is allowed to make the following queries: 1. StaticKeyReveal (ˆ A ) 2. EphemeralKeyReveal ( s ) 3. SessionKeyReveal ( s ) 4. EstablishParty (ˆ A , A ) 5. Expire ( s ) ◮ Parties established by M using EstablishParty are called corrupted , parties not corrupted are honest .

  11. Fresh Session ◮ s : id of a completed session, owned by ˆ A with peer ˆ B , both honest. ◮ s ∗ : id of the matching session of s (if exists). ◮ s is fresh if none of the following conditions hold: 1. M issued SessionKeyReveal ( s ) or SessionKeyReveal ( s ∗ ) (if s ∗ exists). 2. s ∗ exists and M issued one of the following: 2.1 Both StaticKeyReveal (ˆ A ) and EphemeralKeyReveal ( s ). 2.2 Both StaticKeyReveal (ˆ B ) and EphemeralKeyReveal ( s ∗ ). 2.3 Both StaticKeyReveal (ˆ A ) and StaticKeyReveal (ˆ B ). 2.4 Both EphemeralKeyReveal ( s ) and EphemeralKeyReveal ( s ∗ ). 3. s ∗ does not exist and M issued one of the following: 3.1 EphemeralKeyReveal ( s ). 3.2 StaticKeyReveal (ˆ B ) before Expire ( s ).

  12. Security of Key Agreement ◮ M is allowed to make a special query Test ( s ) to a fresh session s . ◮ M gets with equal probability either the session key held by s or a random key. ◮ M wins if it can guess correctly whether the key is random or not. ◮ M can continue interacting with the parties after issuing the Test query, but the test session must remain fresh throughout M ’s experiment.

  13. Security of Key Agreement ◮ M is allowed to make a special query Test ( s ) to a fresh session s . ◮ M gets with equal probability either the session key held by s or a random key. ◮ M wins if it can guess correctly whether the key is random or not. ◮ M can continue interacting with the parties after issuing the Test query, but the test session must remain fresh throughout M ’s experiment. ◮ A key agreement protocol is secure : 1. If two honest parties complete matching sessions then, except with negligible probability, they both compute the same session key. 2. No polynomially bounded adversary M can distinguish the session key of a fresh session from a randomly chosen session key with probability greater than 1 2 plus a negligible fraction.

  14. KAS2 Protocol c 1 = m eB ˆ ˆ mod N B A , ( N A , e A ) B , ( N B , e B ) 1 ✲ c 2 = m eA mod N A , tag B 2 ✛ d A , m 1 d B , m 2 tag A ✲ tag A = MAC κ m ( I , ˆ A , ˆ tag B = MAC κ m ( R , ˆ B , ˆ B , c 1 , c 2 ) A , c 2 , c 1 ) ( κ m , κ ) = H ( m 1 , m 2 , ˆ A , ˆ B , c 1 , c 2 ) ◮ In SP 800-56B, H also takes input an integer keydatalen, a bit string AlgorithmID, and two optional strings SuppPubInfo and SuppPrivInfo. ◮ ( c 1 , c 2 ) are included in SuppPubInfo to simplify the security reduction. ◮ keydatalen, AlgorithmID and SuppPrivInfo are omitted as they are not relevant in security analysis.

  15. Security of KAS2 ◮ RSA problem : Determine m ∈ [2 , N − 2] such that c ≡ m e (mod N ) given an RSA public key ( N , e ) and an integer c ∈ R [2 , N − 2]. ◮ RSA assumption: No polynomially-bounded algorithm can solve the RSA problem with non-negligible probability of success. ◮ Security statement: KAS2 protocol is secure assuming: 1. RSA assumption holds; 2. MAC scheme is secure 3. H is a random oracle.

  16. Security Argument ◮ H is a random function so M has only two strategies to win with probability significantly greater than 1 2 :

  17. Security Argument ◮ H is a random function so M has only two strategies to win with probability significantly greater than 1 2 : ◮ Strategy 1: Induce two non-matching sessions to establish the same session key, set one as the test session, and issue a SessionKeyReveal query to the other. ◮ But non-matching completed sessions produce different session keys except with negligible probability of H collisions!

  18. Security Argument ◮ H is a random function so M has only two strategies to win with probability significantly greater than 1 2 : ◮ Strategy 1: Induce two non-matching sessions to establish the same session key, set one as the test session, and issue a SessionKeyReveal query to the other. ◮ But non-matching completed sessions produce different session keys except with negligible probability of H collisions! ◮ Strategy 2: Query oracle H with ( c d B mod N B , c d A mod N A , ˆ A , ˆ B , c 1 , c 2 ) where test session is 1 2 (ˆ A , ˆ B , I , c 1 , c 2 ) or (ˆ B , ˆ A , R , c 2 , c 1 ). ◮ Construct S that takes input an RSA challenge ( N V , e V , c V ), has access to a MAC oracle with unknown key κ m and produces either a solution to the RSA challenge or a MAC forgery.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in

Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in

Chris Hopkins, PhD, MBA and CSO patient variant drug p.R292H pathogenicity Is this variant in my patient pathogenic or benign? "The Doctor" by Sir Luke Fildes (1891) Drop in genome price drives increase in patient variant

500 views • 22 slides
1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

1 Definition of a simple generic class Why generic programming (cont.) class Pair <T> {

Topics background and goals of generic programming basics of generic classes = parameterized types generic methods for general algorithms inheritance rules for generic types Generic programming in Java bounded type parameters

261 views • 5 slides
<? <?php php $ret = $ret = foo foo($a ($a); ); // C++ // C++ Variant v_ret Variant

<? <?php php $ret = $ret = foo foo($a ($a); ); // C++ // C++ Variant v_ret Variant

<? <?php php $ret = $ret = foo foo($a ($a); ); // C++ // C++ Variant v_ret Variant v_ret; ; Variant Variant v_a v_a; ; v_ret v_ret = = f_foo f_foo(v_a (v_a); ); Facebook 2010 (confidential) <?php <?

287 views • 12 slides
IDN Variant TLDs Program Update IDN Variant TLDs Program Origins No variants of gTLDs will be

IDN Variant TLDs Program Update IDN Variant TLDs Program Origins No variants of gTLDs will be

IDN Variant TLDs Program Update IDN Variant TLDs Program Origins No variants of gTLDs will be delegated until appropriate variant management solutions are developed http://www.icann.org/en/groups/board/do

533 views • 31 slides
Key Agreement Protocol for EPON TaeWhan Yoo (twyoo)*, KyungSoo Han (kshan)*, KwangJo Kim (kkj)**,

Key Agreement Protocol for EPON TaeWhan Yoo (twyoo)*, KyungSoo Han (kshan)*, KwangJo Kim (kkj)**,

Link Security Presentation Key Agreement Protocol for EPON TaeWhan Yoo (twyoo)*, KyungSoo Han (kshan)*, KwangJo Kim (kkj)**, SuGil Choi (sooguri)**, SungJun Min (sjmin)** * Electronics and Telecommunications Research Institute ( @etri.re.kr )

840 views • 20 slides
BLM Nevada Statewide Protocol Agreement 2015 How does the BLM meet its responsibilities under

BLM Nevada Statewide Protocol Agreement 2015 How does the BLM meet its responsibilities under

BLM Nevada Statewide Protocol Agreement 2015 How does the BLM meet its responsibilities under Section 106 of the NHPA? BLM has chosen to develop a program alternative to the standard 106 process. This alternative is called a Programmatic

432 views • 29 slides
a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University Agreement in

a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University Agreement in

Analysis of a Fair Exchange Protocol Vitaly Shmatikov John Mitchell Stanford University Agreement in Hostile Environment Cannot trust the communication channel Cannot trust the other party in the protocol Trusted third party may

393 views • 18 slides
NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST had awarded larger ESPC ($45M) with 4 ECMs the previous year (June 2015) Non-selected ECM was fixed-tilt, ground-mounted solar array on federal

559 views • 17 slides
Variant Effect Predictor Demo: The Variant Effect Predictor (VEP)

Variant Effect Predictor Demo: The Variant Effect Predictor (VEP)

Variant Effect Predictor Demo: The Variant Effect Predictor (VEP) We have identified five variants on human chromosome nine, an A deletion at 128328461, C->A

301 views • 7 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
Variant-Related Issues Variant TLD Issues Project Goal

Variant-Related Issues Variant TLD Issues Project Goal

Variant-Related Issues Variant TLD Issues Project Goal Iden0fy and agree on issues related to variants that should be included in the report 2

218 views • 10 slides
RProtoBuf : Protocol Buffers for R Romain Franois 1 Dirk Eddelbuettel 2 1 R Enthusiasts 2 Debian

RProtoBuf : Protocol Buffers for R Romain Franois 1 Dirk Eddelbuettel 2 1 R Enthusiasts 2 Debian

Protocol Buffers RProtoBuf Summary / Outlook RProtoBuf : Protocol Buffers for R Romain Franois 1 Dirk Eddelbuettel 2 1 R Enthusiasts 2 Debian Project useR! 2010 National Institute of Standards and Technology (NIST) Gaithersburg, Maryland, USA

255 views • 24 slides
Jorge Jimnez Variant calling jjimeneza@cipf.es Index 1. Variant calling pipeline 2.

Jorge Jimnez Variant calling jjimeneza@cipf.es Index 1. Variant calling pipeline 2.

Jorge Jimnez Variant calling jjimeneza@cipf.es Index 1. Variant calling pipeline 2. Alignment processing 3. SNP calling 4. Short indel calling 5. VCF format 6. Structural Variation Jorge Jimnez Variant calling jjimeneza@cipf.es

1.12k views • 40 slides
NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov ICANN Meeting Oct. 15 th , 2014 Los Angeles CA First, A Bit of History 2011 USG DNSSEC Tiger Team has a 2 nd goal: authenticated email

308 views • 4 slides
Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type

Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type

Generic Methods 36 What are Generic Methods? Generic methods = methods that introduce type parameters Similar to declaring a generic type but type parameter's scope is limited to method where it is declared The following are

584 views • 6 slides
1 Variant II: Command Consensus (BG) Variant III: Interactive Consistency (IC) Variant II:

1 Variant II: Command Consensus (BG) Variant III: Interactive Consistency (IC) Variant II:

Coordination Coordination If the solution to availability and scalability is to decentralize and replicate functions and data, how do we coordinate the nodes? data consistency Failures and Consensus Failures and Consensus update

308 views • 6 slides
Generics in Small Doses Adam T. Sampson Neil C. C. Brown Computing Laboratory, University of

Generics in Small Doses Adam T. Sampson Neil C. C. Brown Computing Laboratory, University of

Generics in Small Doses Adam T. Sampson Neil C. C. Brown Computing Laboratory, University of Kent Fun in the Afternoon, November 2008 Overview Tock, our application Why generic programming? Whats wrong with the existing generics systems?

364 views • 24 slides
Generic Collection Class: Motivation (1) class STRING _STACK feature { NONE } -- Implementation

Generic Collection Class: Motivation (1) class STRING _STACK feature { NONE } -- Implementation

Generic Collection Class: Motivation (1) class STRING _STACK feature { NONE } -- Implementation imp : ARRAY [ STRING ] ; i : INTEGER Use of Generics feature -- Queries count : INTEGER do Result := i end -- Number of items on stack. top : STRING

421 views • 3 slides
GENERICS A generic type is a generic class or interface that is parameterized over types. 1 / 6

GENERICS A generic type is a generic class or interface that is parameterized over types. 1 / 6

GENERICS A generic type is a generic class or interface that is parameterized over types. 1 / 6 Weve already seen examples of generic classes ArrayList<T>; HashMap<K, V>; Where T is being used to represent the type of each

304 views • 6 slides
Generics Everywhere CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1

Generics Everywhere CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1

Generics Everywhere CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 25.10.2020 GENERICS EVERYWHERE - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker.

861 views • 85 slides
Java Generics Are Turing Complete Radu Grigore September 2017 Highlights Why do we care? . .

Java Generics Are Turing Complete Radu Grigore September 2017 Highlights Why do we care? . .

Java Generics Are Turing Complete Radu Grigore September 2017 Highlights Why do we care? . . . . . . distinguished at ECOOP 2016 But . . . Java is messy! FOOL 2007 Problem Input infinite directed graph two distinguished vertices t

340 views • 21 slides
Genetic Programming What is it? Genetic Programming Genetic programming (GP) is an

Genetic Programming What is it? Genetic Programming Genetic programming (GP) is an

Genetic Programming What is it? Genetic Programming Genetic programming (GP) is an automated method for creating a working computer program from a high-level problem statement of a problem. Genetic programming starts from a high-

197 views • 8 slides
Genetic Algorithms IF offspring inherit traits from their progenitors, and IF there is

Genetic Algorithms IF offspring inherit traits from their progenitors, and IF there is

Evolution Darwins Natural Selection IF there are organisms that reproduce, and Genetic Algorithms IF offspring inherit traits from their progenitors, and IF there is variability of traits, and IF the environment cannot

455 views • 7 slides
Robot Walking with Genetic Algorithms Bente Reichardt 14. December 2015 Bente Reichardt 1/52

Robot Walking with Genetic Algorithms Bente Reichardt 14. December 2015 Bente Reichardt 1/52

Introduction Genetic Algorithms Quadruped Robot Hexaped Robot Biped Robot Evaluation Robot Walking with Genetic Algorithms Bente Reichardt 14. December 2015 Bente Reichardt 1/52 Introduction Genetic Algorithms Quadruped Robot Hexaped

555 views • 52 slides

More recommend