A Scalable Password-based Group Key Exchange Protocol in the - - PDF document

a scalable password based group key exchange protocol in
SMART_READER_LITE
LIVE PREVIEW

A Scalable Password-based Group Key Exchange Protocol in the - - PDF document

Aug 30, 2022 152 likes •288 views

A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval cole normale suprieure & CNRS Joint work with: Michel Abdalla Authenticated Key Exchange (AKE) Goal: Secure channel Allows two parties

slide-1
SLIDE 1

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

David Pointcheval École normale supérieure & CNRS Joint work with: Michel Abdalla

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Authenticated Key Exchange (AKE)

Goal: Secure channel

Allows two parties to establish a common secret

in an authenticated way

Intuitive goal: implicit authentication

– The session key should only be known to the parties

involved in the protocol

Formally: semantic security

– the session key should be indistinguishable from a

random string

slide-2
SLIDE 2

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Diffie-Hellman Protocol

Let G be a group in which the DDH problem is hard and let g be a generator for G

Bob Alice

skA {0,…,|G|-1} pkA gskA skB {0,…,|G|-1} pkB gskB pkA pkB pkB

sk

= gsk sk = pkA

skB

B A A

Protocol does NOT provide authentication

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Authentication Techniques

Asymmetric techniques

– Assume the existence of a public-key infrastructure – Each party holds a pair of secret and public keys

Symmetric techniques

– Users share a random secret key – 2-party or 3-party settings

Password-based techniques

– Consider the case of weak secrets (e.g., a 4-digit PIN)

slide-3
SLIDE 3

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Group Password-based AKE (GPAKE)

Scenario

Similar to the 2-party case, except that …

– Number of protocol participants is variable – Password is shared among all participants – Session key is shared among all participants

Security goal

– Similar to the 2-party case: Indistinguishability

Allows a pool of users to established a common session key with only the help of passwords

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Communication Model

Users can have many protocol instances

running concurrently

Communication controlled by the adversary

– Adversary can create, modify, or forward messages – The transmission of messages is done via specific

  • racle queries
slide-4
SLIDE 4

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Previous Work on GPAKE

[BressonChevassutP02]:

– Group Diffie-Hellman password-based key exchange – Linear number of rounds – Security in the ROM and ICM

slide-5
SLIDE 5

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

The Burmester-Desmedt GKE (BD94)

P1 Pi PN

  • x1 Zp

X1 gx1 X1 xi Zp Xi gxi xN Zp XN gxN Xi XN K1 X2

x1

KN XN

x1

Z1 K1 / KN Ki Xi+1

xi

Ki-1 Xi-1

xi

Zi Ki / Ki-1 KN X1

xN

KN-1 XN-1

xN

ZN KN / KN-1 Zi ZN Z1 SK K1 K2 KN

Protocol does NOT provide authentication

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Adding Password Authentication Ideal Cipher Model

EKE approach

– Encrypt all flows using the password pw – In both and Xi= pw(Xi) and Zi= pw(Zi)

Problem

– In the BD protocol, Z1Z2 ZN = 1 – Dictionary attack: Guess password pw

Compute Zi= Dpw(Zi) for i=1,,N Check if Z1Z2 ZN = 1

A provably secure approach: [AbdallaBressonChevassutP06]

– Encrypt only the first round of the BD protocol

With a key that depends on the password but also the session ID and the party ID

slide-6
SLIDE 6

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

The Burmester-Desmedt GKE A Generic Version

Pi Pi+1

Zi-1 Ki-1 / Ki-2 Zi Ki / Ki-1 Zi+1 Ki+1 / Ki Zi-1 Zi Zi+1

  • From any key exchange protocol KE:

Pi-1

KE KE Ki Ki-1 Ki-1 Ki SK K1 K2 KN

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

A GPAKE in the Standard Model Intuition

Run an instance of the PAKE protocol between

any two consecutive users

– so that it generates 2 pairwise keys

Each user should authenticate its predecessor

and successor (using one of the pairwise keys)

Use the 2 other pairwise keys to generate

group session key (Burmester-Desmedt)

Signatures authenticate the transcript of all

messages that were broadcast in previous rounds, and that have to be linked together

slide-7
SLIDE 7

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

A GPAKE in the Standard Model Outline

Pi-1 Pi Pi+1

PAKE PAKE KR

i-1, Ki

KR

i, Ki+1

KR

i-1, Ki

KR

i, Ki+1

Authentication of Pi+1

testR

i UH(KR i)

testR

i

Authentication of Pi-1

testL

i UH’(KR i-1)

Burmester-Desmedt

Xi Ki+1 / Ki testL

i, Xi

Link all the flows

i SK UH’’(K1 K2 KN)

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Smooth Projective Hash Functions

[Gennaro-Lindell’s variant]

Hash key generation: hk = HK(pk)

– pk – public encryption key, hk – hashing key

Projected key generation: hp = (hk, c)

– hk – hashing key, hp – projected key,

c = E(pk,m;r) – ciphertext

Hashing algorithm: H (hk, m, c) G

– m – message, c = E(pk,m;r) – ciphertext,

hk – hashing key

Projected hashing algorithm: h = h(hp, m, c; r)

– hp – projected key, r – random coins, c = E(pk,m;r)

slide-8
SLIDE 8

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Smooth Projective Hash Functions Security Properties

Correctness:

– If c = E(pk,m;r), then

(m,c,hp = (hk, c)) uniquely determines H(hk,m,c)

– When c = E(pk,m;r), then

H(hk,m,c) can be computed efficiently given r

h(hp,m,c; r) = H(hk,m,c)

Smoothness:

(statistically)

– If c is not an encryption of m, then

(m, c, hp) gives no information on H(hk,m,c)

Pseudo-randomness:

(computationally)

– When c=E(pk,m;r) and hp=(hk,c), then

H(hk,m,c) is pseudo-random given (m,c,hp)

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

The Gennaro-Lindell Construction

Alice Bob

Alice, vkR, cR skR, vkR Sig-KG cR Epk(pw vkR ; rR) skL, vkL Sig-KG hkL hashKey hpL (hkL, cR, vkR) cL Epk(pw vkL ; rL) Bob, hpL, vkL, cL hkR hashKey hpR (hkR, cL, vkL) R Sign(skR,Transcript) hpR, R L Sign(skL,Transcript) L KR HhkL(pw, vkR, cR) KL hhpR(pw, cL, vkL; rL) KL HhkR(pw, vkL, cL) KR hhpL(pw, cR, vkR; rR) SK KL KR

slide-9
SLIDE 9

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

The Gennaro-Lindell Construction

Alice Bob

Alice, vkR, cR skR, vkR Sig-KG cR Epk(pw vkR ; rR) skL, vkL Sig-KG hkL hashKey hpL (hkL, cR, vkR) cL Epk(pw vkL ; rL) Bob, hpL, vkL, cL hkR hashKey hpR (hkR, cL, vkL) R Sign(skR,Transcript) hpR, R L Sign(skL,Transcript) L KR HhkL(pw, vkR, cR) KL hhpR(pw, cL, vkL; rL) KL HhkR(pw, vkL, cL) KR hhpL(pw, cR, vkR; rR) SK KL KR

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

The Gennaro-Lindell Construction

Alice Bob

Alice, vkR, cR skR, vkR Sig-KG cR Epk(pw vkR ; rR) skL, vkL Sig-KG hkL hashKey hpL (hkL, cR, vkR) cL Epk(pw vkL ; rL) Bob, hpL, vkL, cL hkR hashKey hpR (hkR, cL, vkL) R Sign(skR,Transcript) hpR, R L Sign(skL,Transcript) L KR HhkL(pw, vkR, cR) KL hhpR(pw, cL, vkL; rL) KL HhkR(pw, vkL, cL) KR hhpL(pw, cR, vkR; rR) SK KL KR

slide-10
SLIDE 10

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

The Gennaro-Lindell Construction

Alice Bob

Alice, vkR, cR skR, vkR Sig-KG cR Epk(pw vkR ; rR) skL, vkL Sig-KG hkL hashKey hpL (hkL, cR, vkR) cL Epk(pw vkL ; rL) Bob, hpL, vkL, cL hkR hashKey hpR (hkR, cL, vkL) R Sign(skR,Transcript) hpR, R L Sign(skL,Transcript) L KR HhkL(pw, vkR, cR) KL hhpR(pw, cL, vkL; rL) KL HhkR(pw, vkL, cL) KR hhpL(pw, cR, vkR; rR) SK KL KR

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

The Gennaro-Lindell Construction

Alice Bob

Alice, vkR, cR skR, vkR Sig-KG cR Epk(pw vkR ; rR) skL, vkL Sig-KG hkL hashKey hpL (hkL, cR, vkR) cL Epk(pw vkL ; rL) Bob, hpL, vkL, cL hkR hashKey hpR (hkR, cL, vkL) R Sign(skR,Transcript) KL HhkR(pw, vkL, cL) KR hhpL(pw, cR, vkR; rR) hpR, R L Sign(skL,Transcript) L SK KL KR KR HhkL(pw, vkR, cR) KL hhpR(pw, cL, vkL; rL)

slide-11
SLIDE 11

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

A GPAKE in the Standard Model Details

Pi

hpL

i, cL i

ski,vki KG Li vki || U1 || … || UN Pi, Li, cR

i

hki, hkL

i, hkR i hashKey

hpL

i (hkL i, Li-1, cR i-1)

With Pi+1 With Pi-1 hpi, hpR

i, testR i, R i

hpR

i (hkR i, Li+1, cL i+1)

hpi (hki, Li+1, cL

i+1)

SKR

i testR i R i Sign(ski,Transcript)

With Pi+1 SKL

i testL i

Xi, testL

i

i Ki, Ki+1 and Xi Ki+1 / Ki Burmester-Desmedt With Pi-1

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

A GPAKE in the Standard Model Security

IF

– LPKE is a labeled encryption IND-CCA – HASH is a family of smooth projective hash functions – UH, UH’, UH’’ are families of universal hash functions – SIG is a signature scheme SUF-CMA (2-time secure)

THEN

– The protocol described in the previous slides

is a secure GPAKE protocol

Adv O(qsend / D) O(N qsession / D)

slide-12
SLIDE 12

A Scalable Password-based Group Key Exchange Protocol in the Standard Model

Concluding Remarks

Efficient GPAKE

– 5 rounds – 2 encryptions, 3 projections – 3 hashings, 3 projected hashings – 5 universal hashings – 2 signatures, N verifications: 2-time signatures

Secure GPAKE in the standard model

– Under classical assumptions (DDH, QR, HR)

TCC07:

[AbdallaBohliGonzalezSteinwandt07]

– Generic compiler from 2-party to group AKE – With the same authentication mode – Proven secure in the standard model