a scalable password based group key exchange protocol in
play

A Scalable Password-based Group Key Exchange Protocol in the - PDF document

Aug 30, 2022 •152 likes •283 views

A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval cole normale suprieure & CNRS Joint work with: Michel Abdalla Authenticated Key Exchange (AKE) Goal: Secure channel Allows two parties

  1. A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval École normale supérieure & CNRS Joint work with: Michel Abdalla Authenticated Key Exchange (AKE) Goal: Secure channel � Allows two parties to establish a common secret in an authenticated way � Intuitive goal: implicit authentication – The session key should only be known to the parties involved in the protocol � Formally: semantic security – the session key should be indistinguishable from a random string A Scalable Password-based Group Key Exchange Protocol in the Standard Model

  2. Diffie-Hellman Protocol Let G be a group in which the DDH problem is hard and let g be a generator for G Alice Bob sk A � {0,…,| G |-1} sk B � {0,…,| G |-1} pk A � g sk A pk B � g sk B pk A pk B pk B sk = g sk sk = pk A sk B A A B Protocol does NOT provide authentication A Scalable Password-based Group Key Exchange Protocol in the Standard Model Authentication Techniques � Asymmetric techniques – Assume the existence of a public-key infrastructure – Each party holds a pair of secret and public keys � Symmetric techniques – Users share a random secret key – 2-party or 3-party settings � Password-based techniques – Consider the case of weak secrets (e.g., a 4-digit PIN) A Scalable Password-based Group Key Exchange Protocol in the Standard Model

  3. Group Password-based AKE (GPAKE) � Scenario Similar to the 2-party case, except that … – Number of protocol participants is variable – Password is shared among all participants – Session key is shared among all participants � Security goal – Similar to the 2-party case : Indistinguishability Allows a pool of users to established a common session key with only the help of passwords A Scalable Password-based Group Key Exchange Protocol in the Standard Model Communication Model � Users can have many protocol instances running concurrently � Communication controlled by the adversary – Adversary can create, modify, or forward messages – The transmission of messages is done via specific oracle queries A Scalable Password-based Group Key Exchange Protocol in the Standard Model

  4. Previous Work on GPAKE � [BressonChevassutP02] : – Group Diffie-Hellman password-based key exchange – Linear number of rounds – Security in the ROM and ICM A Scalable Password-based Group Key Exchange Protocol in the Standard Model

  5. � � The Burmester-Desmedt GKE (BD94) P 1 P i P N x 1 � Z p x i � Z p x N � Z p X 1 � g x 1 X i � g xi X N � g x N X 1 X i X N K 1 � X 2 K N � X 1 x 1 K i � X i +1 x N xi K N � X N K N-1 � X N-1 K i -1 � X i -1 x 1 x N xi Z 1 � K 1 / K N Z N � K N / K N-1 Z i � K i / K i -1 Z 1 Z i Z N SK � K 1 � K 2 � � � K N Protocol does NOT provide authentication A Scalable Password-based Group Key Exchange Protocol in the Standard Model Adding Password Authentication Ideal Cipher Model � EKE approach – Encrypt all flows using the password pw – In both and X i = � pw (X i ) and Z i = � pw (Z i ) � Problem – In the BD protocol, Z 1 � Z 2 � � � Z N = 1 – Dictionary attack: Guess password pw � Compute Z i = D pw ( Z i ) for i =1, � ,N � Check if Z 1 � Z 2 � � � Z N = 1 � A provably secure approach: [AbdallaBressonChevassutP06] – Encrypt only the first round of the BD protocol With a key that depends on the password but also the session ID and the party ID A Scalable Password-based Group Key Exchange Protocol in the Standard Model

  6. � � The Burmester-Desmedt GKE A Generic Version From any key exchange protocol KE: P i -1 P i P i +1 KE KE K i K i -1 K i -1 K i Z i -1 � K i -1 / K i -2 Z i � K i / K i -1 Z i +1 � K i +1 / K i Z i -1 Z i Z i +1 SK � K 1 � K 2 � � � K N A Scalable Password-based Group Key Exchange Protocol in the Standard Model A GPAKE in the Standard Model Intuition � Run an instance of the PAKE protocol between any two consecutive users – so that it generates 2 pairwise keys � Each user should authenticate its predecessor and successor (using one of the pairwise keys) � Use the 2 other pairwise keys to generate group session key (Burmester-Desmedt) � Signatures authenticate the transcript of all messages that were broadcast in previous rounds, and that have to be linked together A Scalable Password-based Group Key Exchange Protocol in the Standard Model

  7. A GPAKE in the Standard Model Outline P i -1 P i P i +1 PAKE PAKE K R i -1 , K i K R i , K i +1 K R i -1 , K i K R i , K i +1 Authentication of P i +1 test R i � UH(K R i ) test R i Authentication of P i -1 test L i � UH’(K R i -1 ) X i � K i +1 / K i Burmester-Desmedt test L i , X i Link all the flows � i SK � UH’’(K 1 � K 2 � � � K N ) A Scalable Password-based Group Key Exchange Protocol in the Standard Model Smooth Projective Hash Functions [Gennaro-Lindell’s variant] � Hash key generation: hk = HK(pk) – pk – public encryption key, hk – hashing key � Projected key generation: hp = � (hk, c) – hk – hashing key, hp – projected key, c = E(pk,m;r) – ciphertext � Hashing algorithm: H (hk, m, c) � G – m – message, c = E(pk,m;r) – ciphertext, hk – hashing key � Projected hashing algorithm: h = h(hp, m, c; r) – hp – projected key, r – random coins, c = E(pk,m;r) A Scalable Password-based Group Key Exchange Protocol in the Standard Model

  8. Smooth Projective Hash Functions Security Properties � Correctness: – If c = E(pk,m;r), then (m,c,hp = � (hk, c)) uniquely determines H(hk,m,c) – When c = E(pk,m;r), then H(hk,m,c) can be computed efficiently given r h(hp,m,c; r) = H(hk,m,c) ( statistically ) � Smoothness: – If c is not an encryption of m, then (m, c, hp) gives no information on H(hk,m,c) � Pseudo-randomness : ( computationally ) – When c=E(pk,m;r) and hp= � (hk,c), then H(hk,m,c) is pseudo-random given (m,c,hp) A Scalable Password-based Group Key Exchange Protocol in the Standard Model The Gennaro-Lindell Construction Alice Bob Alice, vk R , c R sk R , vk R � Sig-KG c R � E pk (pw �� vk R ; r R ) sk L , vk L � Sig-KG hk L � hashKey hp L � � (hk L , c R , vk R ) Bob, hp L , vk L , c L c L � E pk (pw �� vk L ; r L ) hk R � hashKey hp R � � (hk R , c L , vk L ) hp R , � R � R � Sign(sk R ,Transcript) � L � Sign(sk L ,Transcript) � L K R � H hkL (pw, vk R , c R ) K L � H hkR (pw, vk L , c L ) K L � h hpR (pw, c L , vk L ; r L ) K R � h hpL (pw, c R , vk R ; r R ) SK � K L � K R A Scalable Password-based Group Key Exchange Protocol in the Standard Model

  9. The Gennaro-Lindell Construction Alice Bob Alice, vk R , c R sk R , vk R � Sig-KG c R � E pk (pw �� vk R ; r R ) sk L , vk L � Sig-KG hk L � hashKey hp L � � (hk L , c R , vk R ) Bob, hp L , vk L , c L c L � E pk (pw �� vk L ; r L ) hk R � hashKey hp R � � (hk R , c L , vk L ) hp R , � R � R � Sign(sk R ,Transcript) � L � Sign(sk L ,Transcript) � L K R � H hkL (pw, vk R , c R ) K L � H hkR (pw, vk L , c L ) K L � h hpR (pw, c L , vk L ; r L ) K R � h hpL (pw, c R , vk R ; r R ) SK � K L � K R A Scalable Password-based Group Key Exchange Protocol in the Standard Model The Gennaro-Lindell Construction Alice Bob Alice, vk R , c R sk R , vk R � Sig-KG c R � E pk (pw �� vk R ; r R ) sk L , vk L � Sig-KG hk L � hashKey hp L � � (hk L , c R , vk R ) Bob, hp L , vk L , c L c L � E pk (pw �� vk L ; r L ) hk R � hashKey hp R � � (hk R , c L , vk L ) hp R , � R � R � Sign(sk R ,Transcript) � L � Sign(sk L ,Transcript) � L K R � H hkL (pw, vk R , c R ) K L � H hkR (pw, vk L , c L ) K L � h hpR (pw, c L , vk L ; r L ) K R � h hpL (pw, c R , vk R ; r R ) SK � K L � K R A Scalable Password-based Group Key Exchange Protocol in the Standard Model

  10. The Gennaro-Lindell Construction Alice Bob Alice, vk R , c R sk R , vk R � Sig-KG c R � E pk (pw �� vk R ; r R ) sk L , vk L � Sig-KG hk L � hashKey hp L � � (hk L , c R , vk R ) Bob, hp L , vk L , c L c L � E pk (pw �� vk L ; r L ) hk R � hashKey hp R � � (hk R , c L , vk L ) hp R , � R � R � Sign(sk R ,Transcript) � L � Sign(sk L ,Transcript) � L K R � H hkL (pw, vk R , c R ) K L � H hkR (pw, vk L , c L ) K L � h hpR (pw, c L , vk L ; r L ) K R � h hpL (pw, c R , vk R ; r R ) SK � K L � K R A Scalable Password-based Group Key Exchange Protocol in the Standard Model The Gennaro-Lindell Construction Alice Bob Alice, vk R , c R sk R , vk R � Sig-KG c R � E pk (pw �� vk R ; r R ) sk L , vk L � Sig-KG hk L � hashKey hp L � � (hk L , c R , vk R ) Bob, hp L , vk L , c L c L � E pk (pw �� vk L ; r L ) hk R � hashKey hp R � � (hk R , c L , vk L ) hp R , � R � R � Sign(sk R ,Transcript) � L � Sign(sk L ,Transcript) � L K R � H hkL (pw, vk R , c R ) K L � H hkR (pw, vk L , c L ) K L � h hpR (pw, c L , vk L ; r L ) K R � h hpL (pw, c R , vk R ; r R ) SK � K L � K R A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides
IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based

IPAKE IPAKE Summary Summary Isomorphisms for Password-based Isomorphisms for Password-based Authenticated Key Exchange Authenticated Key Exchange Dario Catalano David Pointcheval Password-based CNRS-ENS France Authenticated Key

291 views • 5 slides
G-PBFT: A Location-based and Scalable Consensus Protocol for IoT-Blockchain Applications

G-PBFT: A Location-based and Scalable Consensus Protocol for IoT-Blockchain Applications

G-PBFT: A Location-based and Scalable Consensus Protocol for IoT-Blockchain Applications Contents Introduction Problem Statement Protocol Design Performance Analysis Conclusion 2 Introduction Blockchain

430 views • 20 slides
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David

Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale sup erieure/PSL & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA David

319 views • 14 slides
CCTCP: A Scalable Receiver-driven Congestion Control Protocol for Content Centric Networking

CCTCP: A Scalable Receiver-driven Congestion Control Protocol for Content Centric Networking

CCTCP: A Scalable Receiver-driven Congestion Control Protocol for Content Centric Networking Lorenzo Saino, Cosmin Cocora and George Pavlou Communications and Information Systems Group Department of Electrical and Electronics Engineering

500 views • 13 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research Zurich based on joint work with Jan Camenisch, Anna Lysyanskaya & Gregory Neven ROADMAP Password-Based Authentication How to make password

1.43k views • 43 slides
FPAKE: Fuzzy Password- Authen6cated Key Exchange Sophia

FPAKE: Fuzzy Password- Authen6cated Key Exchange Sophia

FPAKE: Fuzzy Password- Authen6cated Key Exchange Sophia Yakoubov joint work with Pierre-Alain Dupont, Julia Hesse, David Pointcheval, Leonid Reyzin 1

843 views • 43 slides
Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory

Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory Jean-Christophe Deneuville < jean-christophe.deneuville@xlim.fr > June the 26 th , 2017 PQCrypto 17 Utrecht Joint work with: P. Gaborit G. Z

1.54k views • 84 slides
SWIM: S calable W eakly-consistent I nfection-style Process Group M embership Protocol Das, A.,

SWIM: S calable W eakly-consistent I nfection-style Process Group M embership Protocol Das, A.,

SWIM: S calable W eakly-consistent I nfection-style Process Group M embership Protocol Das, A., Gupta, I . and Motivala, A., 2002, June. Swim: Scalable weakly- consistent infection-style process group membership protocol. In Proceedings

408 views • 27 slides
: Group Key Agreement API based on CLIQUES protocol suite CLQ_API Formation Member add Member

: Group Key Agreement API based on CLIQUES protocol suite CLQ_API Formation Member add Member

CLQ_API : : Group Key Agreement API based on CLIQUES protocol suite CLQ_API Formation Member add Member leave Group fusion Group fission 7/ 8/ 99 1 CLQ_API prerequisites Underlying group communication subsystem must

71 views • 6 slides
Multicast Protocols IGMP - IP Group Membership Protocol DVMRP - DV Multicast Routing Protocol

Multicast Protocols IGMP - IP Group Membership Protocol DVMRP - DV Multicast Routing Protocol

Multicast Protocols IGMP - IP Group Membership Protocol DVMRP - DV Multicast Routing Protocol MOSPF - Multicast OSPF (see notes pages for some slides!) S38.122/RKantola/s00 9 - 1 IGMPv2 - Internet Group Management Protocol implements Group

474 views • 14 slides
SCNP: A protocol for automatic, decentralized and scalable IP network configuration T. Delaet

SCNP: A protocol for automatic, decentralized and scalable IP network configuration T. Delaet

Motivation Our Solution Summary SCNP: A protocol for automatic, decentralized and scalable IP network configuration T. Delaet Department of Computer Science K.U.Leuven IFIP/IEEE International Workshop on Self-Managed Systems & Services,

547 views • 18 slides
Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com What is Team Password Manager - Password manager for groups and projects - Uses projects to group passwords - Secure, fine grained password sharing -

712 views • 9 slides
Risk Management System based on FIX protocol CSEE 4840 Final Report Kaixi Ji (kj2330) Modi Yan

Risk Management System based on FIX protocol CSEE 4840 Final Report Kaixi Ji (kj2330) Modi Yan

Risk Management System based on FIX protocol CSEE 4840 Final Report Kaixi Ji (kj2330) Modi Yan (my2408) 1. Overview Financial Information eXchange (FIX) protocol is intended for information security transactions in markets. FIX session is used

783 views • 55 slides
1 Connection Establishment Data Exchange Clients connect to an SSH server on port Once

1 Connection Establishment Data Exchange Clients connect to an SSH server on port Once

Where in the stack is security? Attacks can be targeted at any layer of the 16: protocol stack Application layer: Password and data sniffing, Forged Exploits and Defenses Up and transactions, Security holes, Buffer Overflows?

1.15k views • 9 slides
Serbia in the EU integration process Thematic Local Cooperation between Swedish and Serbian

Serbia in the EU integration process Thematic Local Cooperation between Swedish and Serbian

Support to Local Governments in Serbia in the EU integration process Thematic Local Cooperation between Swedish and Serbian Municipalities About the programme OVERALL OBJECTIVE: Contribute to strengthened democracy, equitable and sustainable

272 views • 14 slides
Sketchpad Graphics Language Yan Peng, Yichen Liu, Zhongyu Wang Overview

Sketchpad Graphics Language Yan Peng, Yichen Liu, Zhongyu Wang Overview

Sketchpad Graphics Language Yan Peng, Yichen Liu, Zhongyu Wang Overview Compass-and-straightedge construction Dependence Relationship Subfunction Symbol Table Statically scoped, Byval and Byref. Simple, but Strong! Geometry

573 views • 14 slides
Managing residence permits and migrant unemployment during the COVID-19 crisis Adolfo

Managing residence permits and migrant unemployment during the COVID-19 crisis Adolfo

Managing residence permits and migrant unemployment during the COVID-19 crisis Adolfo Sommarribas, Legal advisor, EMN Luxembourg Scope of the EMN Inform Based on information gathered in EU and OECD Member States by EMN and OECD. This

494 views • 11 slides
Identifying Digital Endpoints to Assess FAtigue, Sleep and acTivities of daily living in

Identifying Digital Endpoints to Assess FAtigue, Sleep and acTivities of daily living in

Identifying Digital Endpoints to Assess FAtigue, Sleep and acTivities of daily living in neurodegenerative disorders and immune-mediated inflammatory diseases www.idea-fast.eu Overall aims 1. To define digital endpoints for the evaluation of

309 views • 8 slides
Shin Kong Financial Holding Update on Strategic Partnership September 9, 2008 This report is

Shin Kong Financial Holding Update on Strategic Partnership September 9, 2008 This report is

Confidential Shin Kong Financial Holding Update on Strategic Partnership September 9, 2008 This report is solely for the use of investor and analysts. No part of it may be circulated, quoted, or reproduced for distribution without prior

466 views • 4 slides
Director of European Studies Urban Strandberg Dr., Associate Professor in Political Science

Director of European Studies Urban Strandberg Dr., Associate Professor in Political Science

EMAES Executive Master of European Studies Program Director of European Studies Urban Strandberg Dr., Associate Professor in Political Science Centre for European Studies (CES) Department of Political Science University of Gothenburg

416 views • 10 slides
New title and new name of the profession and the union Decision in the Swedish parliament

New title and new name of the profession and the union Decision in the Swedish parliament

New title and new name of the profession and the union Decision in the Swedish parliament in December. Starting from January 1 st 2014 New name of the profession and academic subject Possibility to choose title for those

462 views • 27 slides
THE PARENT AI RLI NE FY2014/ 15 RESULTS 1 THE PARENT AI RLI NE COMPANY OPERATI NG PERFORMANCE

THE PARENT AI RLI NE FY2014/ 15 RESULTS 1 THE PARENT AI RLI NE COMPANY OPERATI NG PERFORMANCE

SI A ANALYST/ MEDI A BRI EFI NG FY2014/15 Results 15 May 2015 THE PARENT AI RLI NE FY2014/ 15 RESULTS 1 THE PARENT AI RLI NE COMPANY OPERATI NG PERFORMANCE FY2014/ 15 % % 4Q/ 14 Change 14/ 15 Change Available Seat-KM 29,091 -0.9

372 views • 24 slides

More recommend