universally composable non-interactive key exchange › fileadmin › user › hesse ›...
TRANSCRIPT
Universally Composable Non-Interactive KeyExchangeSCN 2014, 03-09-2014
Eduarda S.V. Freire, Julia Hesse, Dennis Hofheinz
Oh no, ...
Universally Composable Non-Interactive Key Exchange 1/23
Oh no, ...
...it’s a UC talk!
Universally Composable Non-Interactive Key Exchange 1/23
Oh no, ...
...it’s a UC talk!
...please no proof,please no proof,please no proof...
Universally Composable Non-Interactive Key Exchange 1/23
Oh no, ...
...it’s a UC talk!
...please no proof,please no proof,please no proof...
...I should havebrought coffee!
Universally Composable Non-Interactive Key Exchange 1/23
Introducing...
Universally Composable Non-Interactive Key Exchange 2/23
Introducing...
Universally Composable Non-Interactive Key Exchange 2/23
Introducing...
Universally Composable Non-Interactive Key Exchange 2/23
Introducing...
Universally Composable Non-Interactive Key Exchange 2/23
Outline
1 Non-Interactive Key Exchange (NIKE)IntroductionReview: NIKE Security Notions
2 UC Security of NIKEUC SecurityThe New FunctionalityRelations to Game-Based Security
3 Summary
Universally Composable Non-Interactive Key Exchange 3/23
Outline
1 Non-Interactive Key Exchange (NIKE)IntroductionReview: NIKE Security Notions
2 UC Security of NIKEUC SecurityThe New FunctionalityRelations to Game-Based Security
3 Summary
Universally Composable Non-Interactive Key Exchange 4/23
A Popular Example
gb ga
a b
ga
gb
H(Alice,Bob,gab) H(Alice,Bob,gab)
Universally Composable Non-Interactive Key Exchange 5/23
A Popular Example
gb ga
a b
ga
gb
H(Alice,Bob,gab) H(Alice,Bob,gab)
Universally Composable Non-Interactive Key Exchange 5/23
A Popular Example
gb ga
a b
ga
gb
H(Alice,Bob,gab) H(Alice,Bob,gab)
Universally Composable Non-Interactive Key Exchange 5/23
A Popular Example
gb ga
a b
ga
gb
H(Alice,Bob,gab) H(Alice,Bob,gab)
Universally Composable Non-Interactive Key Exchange 5/23
A Popular Example
gb ga
a b
ga
gb
H(Alice,Bob,gab) H(Alice,Bob,gab)
Universally Composable Non-Interactive Key Exchange 5/23
A Popular Examplegb ga
a b
ga
gb
H(Alice,Bob,gab) H(Alice,Bob,gab)
Universally Composable Non-Interactive Key Exchange 5/23
A Popular Examplegb ga
a b
ga
gb
H(Alice,Bob,gab) H(Alice,Bob,gab)
Universally Composable Non-Interactive Key Exchange 5/23
Attacks on NIKE
Universally Composable Non-Interactive Key Exchange 6/23
Attacks on NIKE
Universally Composable Non-Interactive Key Exchange 6/23
Attacks on NIKE
Universally Composable Non-Interactive Key Exchange 6/23
Attacks on NIKE
Universally Composable Non-Interactive Key Exchange 6/23
Attacks on NIKE
Universally Composable Non-Interactive Key Exchange 6/23
Attacks on NIKE
Universally Composable Non-Interactive Key Exchange 6/23
Attacks on NIKE
Universally Composable Non-Interactive Key Exchange 6/23
Attacks on NIKE
NIKE schemes rely on a PKI!
Universally Composable Non-Interactive Key Exchange 6/23
Attacks on NIKE
Manipulate the phone book byregistering a hijacked public key for himselfregistering a public key of invalid format
Universally Composable Non-Interactive Key Exchange 7/23
Outline
1 Non-Interactive Key Exchange (NIKE)IntroductionReview: NIKE Security Notions
2 UC Security of NIKEUC SecurityThe New FunctionalityRelations to Game-Based Security
3 Summary
Universally Composable Non-Interactive Key Exchange 8/23
Game-based security notions
CKS Security (simplest form)
Challenger
(ski , pki )← KeyGen, i ∈ {0, 1}
pk∗ ∈ {0, 1}∗i ∈ {0, 1}
(use ski )
.
.
. key∗ =
{keypk0,pk1
if b = 0
random else
b $← {0, 1}
output b ?= b′
pk0, pk1
pk∗, pki
keypk∗,pki
key∗
b′
Universally Composable Non-Interactive Key Exchange 9/23
Shortcomings
CKS security admits arbitrary public keys pk∗
=⇒ adversary can ask for session keys involving(possibly invalid) pk∗
Extending CKS security to support (possibly interactive) validitychecks (e.g., proofs of possession of sk)
requires session handlingleads to a variety of different notions
Use modular security model!
Universally Composable Non-Interactive Key Exchange 10/23
Does it matter?
Freire et al.: Non-Interactive Key Exchange (PKC 2013)A factoring-based NIKE in the standard model that
assumes valid public keysprovides a validity check
=⇒ We may need a more flexible security notion than CKSsecurity!
Universally Composable Non-Interactive Key Exchange 11/23
Outline
1 Non-Interactive Key Exchange (NIKE)IntroductionReview: NIKE Security Notions
2 UC Security of NIKEUC SecurityThe New FunctionalityRelations to Game-Based Security
3 Summary
Universally Composable Non-Interactive Key Exchange 12/23
UC Security
Universally Composable Non-Interactive Key Exchange 13/23
UC Security
Universally Composable Non-Interactive Key Exchange 13/23
UC Security
Universally Composable Non-Interactive Key Exchange 13/23
Outline
1 Non-Interactive Key Exchange (NIKE)IntroductionReview: NIKE Security Notions
2 UC Security of NIKEUC SecurityThe New FunctionalityRelations to Game-Based Security
3 Summary
Universally Composable Non-Interactive Key Exchange 14/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?Is Bob registered?Is Bob honest?Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?Is Bob registered?Is Bob honest?Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?
Is Bob registered?Is Bob honest?Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?
Is Bob registered?Is Bob honest?Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?
Is Bob registered?
Is Bob honest?Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?
Is Bob registered?
Is Bob honest?Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?Is Bob registered?Is Bob honest?Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?Is Bob registered?Is Bob honest?Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?Is Bob registered?Is Bob honest?Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?Is Bob registered?
Is Bob honest?
Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?Is Bob registered?
Is Bob honest?
Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?Is Bob registered?Is Bob honest?
Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?Is Bob registered?Is Bob honest?Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
An ideal NIKE
FNIKE
what’s my key with Bob?
Is Bob honest?Is Bob registered?Is Bob honest?Key of Alice and Bob?
Universally Composable Non-Interactive Key Exchange 15/23
Advantages
Complete modeling of NIKE protocols that makeassumptions about public keysModular security notionIntuitive security notionCan also be used for ID-based NIKE
Universally Composable Non-Interactive Key Exchange 16/23
Outline
1 Non-Interactive Key Exchange (NIKE)IntroductionReview: NIKE Security Notions
2 UC Security of NIKEUC SecurityThe New FunctionalityRelations to Game-Based Security
3 Summary
Universally Composable Non-Interactive Key Exchange 17/23
Static Security
Static UC adversary
corruption only allowed before first key is issued
Backwards compatibility:π CKS-secure =⇒ π UC-emulates FNIKE w.r.t staticadversaries.
Universally Composable Non-Interactive Key Exchange 18/23
Adaptive Security (1)
Adaptive UC adversary
corruption allowed at any time
Impossibility result:FNIKE not realizable without additional assumptions.
Universally Composable Non-Interactive Key Exchange 19/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (1)
Universally Composable Non-Interactive Key Exchange 20/23
Adaptive Security (2)
If the simulator has more powerful tools like a programmablerandom oracle...
+
... FNIKE becomes realizable.
Universally Composable Non-Interactive Key Exchange 21/23
Adaptive Security (2)
Universally Composable Non-Interactive Key Exchange 22/23
Adaptive Security (2)
Universally Composable Non-Interactive Key Exchange 22/23
Adaptive Security (2)
Universally Composable Non-Interactive Key Exchange 22/23
Adaptive Security (2)
Universally Composable Non-Interactive Key Exchange 22/23
Adaptive Security (2)
Universally Composable Non-Interactive Key Exchange 22/23
Summary
Definition of UC-secure NIKEintuitive and modularanalyze protocols that are vulnerable to PKI attacks
Relations to game-based notionsPossibility and impossibility results
Thank you!
Universally Composable Non-Interactive Key Exchange 23/23