strongly secure one round group authenticated key
play

Strongly Secure One-Round Group Authenticated Key Exchange in the - PowerPoint PPT Presentation

Aug 29, 2023 •15 likes •515 views

Strongly Secure One-Round GAKE Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng Yang Ruhr-University Bochum CANS 2013 1 / 40 Introduction, Motivation and Contributions GAKE Security Model

  1. Strongly Secure One-Round GAKE Strongly Secure One-Round Group Authenticated Key Exchange in the Standard Model Yong Li, Zheng Yang Ruhr-University Bochum CANS 2013 1 / 40

  2. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model Outline I Introduction, Motivation and Contributions I GAKE security model (G-eCK) I Formal definition of GAKE I New one-round GAKE protocols in the standard model 2 / 40

  3. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model Introduction I Numerous group-oriented scenarios: I video conferencing I collaborative applications, etc. I Security Goals: I Confidentiality I Integrity I Authentication 3 / 40

  4. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model Introduction I Group authenticated key exchange: I a shared symmetric session key for group members I secure multicasting network layer among the parties using a symmetric encryption with a shared session key n-Party Group Party i l C e n o n n a f i h d C e n l t a i i a t m l n C e d h i a f n n o n C e l m m Internet Party n Party 1 C:=Enc(k,m) Confidential Channel m:=Dec(k,C) 4 / 40

  5. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model Classical example: Tripartite DHKE I KE: Pairing-based Tripartite Diffie-Hellman key exchange (TDHKE) [AJ04] I Let G and G T be two cyclic groups of prime order p , generator g for G , and a bilinear computable pairing e : G ⇥ G � ! G T . Z p ; pk A : A = g a 2 G . I Party A: sk A : a $ Z p ; pk B : B = g b 2 G . I Party B: sk B : b $ Z p ; pk C : C = g c 2 G . I Party C: sk C : c $ 5 / 40

  6. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model Tripartite Diffie-Hellman Key Exchange I Shared Session Key: K A , B , C = e ( B , C ) a = e ( A , C ) b = e ( A , B ) c = e ( g , g ) abc party (C) c  Z p * C := g c K := e(A, B) c Party (A) Party (B) a  Z p * b  Z p * A A := g a B := g b B K := e(B, C) a K := e(A, C) b Session key 5 / 40

  7. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model Insecurity of TDHKE I Man-in-the-Middle attack on TDHKE Party (C) c  Z p *, C := g c K := e(D 2 , D 3 ) c d 1 , d 2 , d 3  Z p * D 1:= g d 1 , D 1:= g d 2 , D 1:= g d 3 Attacker (D) K A := e(A, D 3 ) d1 , K B := e(B, D 1 ) d2 , K C := e(C, D 2 ) d3 D 1 A Party (A) Party (A) D 1 B a  Z p *, A := g a b  Z p *, B := g b K := e(D 1 , D 3 ) a K := e(D 1 , D 2 ) b How to thwart MITM attacks? Authenticated Key Exchange . 5 / 40

  8. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model Motivation I GAKE is a fundamental cryptographic primitive, and there are different possible security models and schemes for GAKE, e.g. [BCPQ01] [BCP02] [KY03] [BMS07], etc.. I But no secure scheme in the G-eCK security model - one of the strongest security model for one-round GAKE - under standard assumptions without random oracles. 6 / 40

  9. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model Motivation I 2009: [MSU09] provides a tripartite/group key exchange scheme and analyses their scheme in G-eCK Security model, but with the random oracle model. I 2012: [FMSB12] provides a tripartite key exchange. It satisfies G-eCK Security, but under the gap Bilinear Diffie-Hellman (GBDH) assumption in the random oracle model. 7 / 40

  10. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model Contributions I we provide a concrete construction for one-round 3AKE protocol that is G-eCK secure in the standard model - based on pairings [BS02]. I a provably G-eCK secure GAKE scheme with constant maximum group size in the standard model - based on multilinear maps [GGH13]. 8 / 40

  11. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model Evolution of AKE Security Models CK01 eCK07 B93 B95 Model Model Model Model 1: Chosenn Message 1: Chosenn Message 1: Chosenn Message 1: Chosenn Message 2: Known Session Key 2: Known Session Key 2: Known Session Key 2: Known Session Key 3: Adaptive Corruption 3: Adaptive Corruption 3: Adaptive Corruption 3.1: Perfect Forward Secrecy 3.1: Weak Perfect Forward Secrecy 4: Leakage of Session States 3.2: Key Compromise Impersonation 4: Leakage of Session States 5: Chosen Identity and Public Key 8 / 40

  12. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model G-eCK Model: Execution Environment (1) I a set of honest parties { ID 1 , . . . , ID ` } for ` 2 N and ID i 2 IDS I each identity is associated with a long-term key pair ( sk ID i , pk ID i ) 2 ( SK , PK ) I each honest party ID i can sequentially and concurrently execute the protocol multiple times with different indented partners, this is characterized by a collection of oracles { ⇡ s i : i 2 [ ` ] , s 2 [ ⇢ ] } for ⇢ 2 N , i.e. Oracle ⇡ s i behaves as party ID i . 9 / 40

  13. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model G-eCK Model: Execution Environment (2) We assume each oracle ⇡ s i maintains a list of independent internal state variables with following semantics: I pid s i : A variable stores a set of partner identities in the group I Φ s i : A variable stores the oracle decision Φ s i 2 { accept , reject } I K s i : A variable records the session key K s i 2 K KE for symmetric encryption 10 / 40

  14. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model G-eCK Model: Execution Environment (2) I st s i : A variable stores the maximum secret session states that are allowed to be leaked I T s i : A variable stores the transcript of all messages sent and received by ⇡ s i during its execution 11 / 40

  15. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model G-eCK Model: Adversarial Model (1) Challenger C Queries: I Send ID 1 ID 2 I RegisterCorrupt I Corrupt ID i ID i+1 I RevealKey Adversary A I StateReveal GAKE Security Game I Test ID l-1 ID l 12 / 40

  16. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model G-eCK Model: Adversarial Model (2) Challenger C Queries: I Send Send-query ID 1 ID 2 I RegisterCorrupt Send ( π i s ,m) I Corrupt m ’ ID i ID i+1 I RevealKey Adversary A I StateReveal GAKE Security Game I Test ID l-1 ID l 12 / 40

  17. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model G-eCK Model: Adversarial Model (3) Challenger C Queries: I Send Corrupt-query ID 1 ID 2 I Corrupt Corrupt(ID i ) I RegisterCorrupt sk ID i ID i ID i+1 I RevealKey Adversary A I StateReveal GAKE Security Game I Test ID l-1 ID l 12 / 40

  18. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model G-eCK Model: Adversarial Model (4) Challenger C Queries: I Send RegisterCorrupt( ID* , pk ID* , proof ID* ) ID 1 for dishonest parties ID* ID 2 I Corrupt I RegisterCorrupt ID i ID i+1 I RevealKey Adversary A I StateReveal GAKE Security Game I Test ID l-1 ID l 12 / 40

  19. Introduction, Motivation and Contributions GAKE Security Model (G-eCK Model) Strongly Secure One-Round GAKE Formal Definition of One-round GAKE Stongly Secure One-Round GAKE in the Standard Model G-eCK Model: Adversarial Model (5) Challenger C Queries: I Send RevealKey-query ID 1 ID 2 I Corrupt RevealKey( π i I RegisterCorrupt s ) Session Key: K i s ID i ID i+1 I RevealKey Adversary A I StateReveal GAKE Security Game I Test ID l-1 ID l 12 / 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authenticated Encryption in SSH Kenny Paterson Information Security Group @kennyog;

Authenticated Encryption in SSH Kenny Paterson Information Security Group @kennyog;

Authenticated Encryption in SSH Kenny Paterson Information Security Group @kennyog; www.isg.rhul.ac.uk/~kp Overview (both lectures) Secure channels and their properties AEAD (revision) AEAD secure channel the [APW09] attack

1.63k views • 72 slides
Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages PKC 2013 , Fabrice Ben Hamouda Olivier Blazy Cline Chevalier David Pointcheval Damien Vergnaud Horst Grtz Institute for IT Security / Ruhr-University Bochum ENS /

914 views • 45 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 ,

Introduction Motivation Specification for Beetle Hardware Implementation Results of Beetle Conclusions Beetle Family of Lightweight and Secure Authenticated Encryption Ciphers Avik Chakraborti 1 , Nilanjan Datta 2 , Mridul Nandi 3 and Kan

614 views • 32 slides
Round-Optimal Secure Multiparty Computation with Honest Majority Prabhanjan Ananth Arka Rai

Round-Optimal Secure Multiparty Computation with Honest Majority Prabhanjan Ananth Arka Rai

Round-Optimal Secure Multiparty Computation with Honest Majority Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain CRYPTO 2018 Secure Multiparty Computation ! # ! $ ! " ! % Secure Multiparty Computation Securely compute

1.18k views • 102 slides
Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen

Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange Kristian Gjsteen 1 Tibor Jager 2 NTNU - Norwegian University of Science and Technology, Trondheim, Norway, kristian.gjosteen@ntnu.no Paderborn University, Paderborn,

360 views • 34 slides
The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University)

The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University)

The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University) joint work with Sanjam Garg, Pratyay Mukherjee (UC Berkeley), Omkant Pandey (Drexel University) Background: Secure Multi-Party Computation x 1 f(x 1 ,

750 views • 54 slides
Two-Round Secure Multiparty Computation Minimizing Public Key Operations Sanjam Garg

Two-Round Secure Multiparty Computation Minimizing Public Key Operations Sanjam Garg

Two-Round Secure Multiparty Computation Minimizing Public Key Operations Sanjam Garg Peihan Miao Akshayaram Srinivasan What did we achieve? Two-Round Secure Multiparty Computation Minimizing Public Key Operations Sanjam Garg

628 views • 41 slides
On the Exact Round Complexity of Secure Three-Party Computation Arpita Patra, Divya Ravi Indian

On the Exact Round Complexity of Secure Three-Party Computation Arpita Patra, Divya Ravi Indian

On the Exact Round Complexity of Secure Three-Party Computation Arpita Patra, Divya Ravi Indian Institute of Science CRYPTO 2018 Our Objective What is the exact round complexity of 3-party protocols with honest majority under the following

446 views • 10 slides
Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or horizontal half-planes Round 1 Round 1 Round 1 Round 1 Round 1 h 1 D 2 " 1 =0.30 ! =0.42 1 Round 2 Round 2 Round 2 Round 2 Round

188 views • 5 slides
Strongly connected components Finding strongly-connected components A strongly connected component

Strongly connected components Finding strongly-connected components A strongly connected component

Strongly connected components Finding strongly-connected components A strongly connected component is the maximal subset of a graph with a directed path between any two vertices B Tyler Moore CSE 3353, SMU, Dallas, TX g e Lecture 9 f a b

166 views • 5 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

Diffie-Hellman key exchange Secure against passive eavesdropping but insecure against a man-in-the-middle attack CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1 2 Adding key

492 views • 5 slides
Round Optimal Secure Multiparty Computation from Minimal Assumptions Arka Rai Choudhuri Michele

Round Optimal Secure Multiparty Computation from Minimal Assumptions Arka Rai Choudhuri Michele

Round Optimal Secure Multiparty Computation from Minimal Assumptions Arka Rai Choudhuri Michele Ciampi Vipul Goyal Johns Hopkins University The University of Edinburgh Carnegie Mellon University and NTT Research Abhishek Jain Rafail

1.42k views • 119 slides
Non-equilibrium Non-equilibrium Fluctuations in Strongly Fluctuations in Strongly Correlated

Non-equilibrium Non-equilibrium Fluctuations in Strongly Fluctuations in Strongly Correlated

International Symposium in Honor of Professor Nambu for the 10th Anniversary of his Nobel Prize in Physics Osaka City University, December 12-13, 2018 Non-equilibrium Non-equilibrium Fluctuations in Strongly Fluctuations in Strongly

485 views • 36 slides
A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval

A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval

A Scalable Password-based Group Key Exchange Protocol in the Standard Model David Pointcheval cole normale suprieure & CNRS Joint work with: Michel Abdalla Authenticated Key Exchange (AKE) Goal: Secure channel Allows two parties

283 views • 12 slides
Authenticated Encryption in TLS Kenny Paterson DIAC 2013 Information Security Group Outline

Authenticated Encryption in TLS Kenny Paterson DIAC 2013 Information Security Group Outline

Authenticated Encryption in TLS Kenny Paterson DIAC 2013 Information Security Group Outline TLS and the TLS Record Protocol Theory for TLS Attacks: The BEAST Padding oracles Lucky 13 (More theory for TLS) RC4 attack

909 views • 70 slides
Estimating the Information and Communication Technology Development Index (IDI) using nighttime

Estimating the Information and Communication Technology Development Index (IDI) using nighttime

Estimating the Information and Communication Technology Development Index (IDI) using nighttime satellite imagery Tilottama Ghosh Christopher D. Elvidge Paul C. Sutton Kimberly Baugh Daniel Ziskin Introduction Indicators of the IDI IDI

586 views • 24 slides
Tensor topology Chris Heunen Pau Enrique Moliner Sean Tull 1 / 15 Where things happen

Tensor topology Chris Heunen Pau Enrique Moliner Sean Tull 1 / 15 Where things happen

Tensor topology Chris Heunen Pau Enrique Moliner Sean Tull 1 / 15 Where things happen Wouldnt it be great if control flow data flow provenance proof analysis causality were all instances of a one theory? 2 / 15

418 views • 31 slides
A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel

A General Proof Framework for Recent AES Distinguishers Christina Boura, Anne Canteaut, Daniel Coggia Inria, Project Team SECRET, France March 27, FSE 2019 Outline Definitions and the multiple-of-8 distinguisher Proof for the distinguisher

700 views • 67 slides
Did Erik Palmgren Solve a Revised Hilberts Program? Anton Setzer Dept. of Computer Science,

Did Erik Palmgren Solve a Revised Hilberts Program? Anton Setzer Dept. of Computer Science,

Did Erik Palmgren Solve a Revised Hilberts Program? Anton Setzer Dept. of Computer Science, Swansea University, UK BCTCS 2020, 8 April 2020 In Living Memory of Erik Palmgren Anton Setzer Erik Palmgren and Hilberts Program? 1/ 30 Erik

662 views • 30 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Master Theorem Carola Wenk Slides courtesy of Charles Leiserson with small Slides courtesy of

Master Theorem Carola Wenk Slides courtesy of Charles Leiserson with small Slides courtesy of

CS 3343 Fall 2010 Master Theorem Carola Wenk Slides courtesy of Charles Leiserson with small Slides courtesy of Charles Leiserson with small changes by Carola Wenk 9/16/2010 CS 3343 Analysis of Algorithms 1 The divide-and-conquer

562 views • 11 slides
Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &

Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &

Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI & Universiteit Leiden IPAM Retreat: Securing Cyberspace 9 June 2009 Network coding [ACLY00] recipient router router router sender router

330 views • 18 slides
Update on GAMBIT Pat Scott Imperial College London Slides at: tinyurl.com/patscott GAMBIT:

Update on GAMBIT Pat Scott Imperial College London Slides at: tinyurl.com/patscott GAMBIT:

Update on GAMBIT Pat Scott Imperial College London Slides at: tinyurl.com/patscott GAMBIT: gambit.hepforge.org M B I A T G Pat Scott Oct 2015 TeVPA Tokyo Update on GAMBIT Global fits for dark matter and new physics Current

597 views • 30 slides

More recommend