Upload
diane-cory-robbins
View
221
Download
1
Embed Size (px)
Citation preview
Practical Covert Authentication
Stanislaw Jarecki
University of California at Irvine
Public Key Cryptography 2014
Presentation Plan
1. Introduction to Covert Computation
2. Practical Covert Authentication Protocol O(1) rounds, group elements, exponentiations…
3. Main Tool: Compiler for Covert Conditional OT’s ZKPK+ (Σ-protocol) for language L Covert Conditional OT for L
4. Extensions / Open Problems
Background: Secure Computation
Secure Computation hides all except for what’s revealed by output
AF(x,y) F
xA
A π for F B(y)
~
(eff.) adversary A (eff.) simulator à s.t. inputs y
A’s interaction with à F(y) ≈ A π(y)
≈
~yB
Voting protocol attempt reveals a potential voter Petition signing attempt reveals a potential signer … Authentication attempt reveals a member of some
organization which uses the authentication protocol, no matter how credential/policy/attribute-hiding that protocol is!
AF(x,y)
x yBπ for
F
Secure computation hides everything it can about B’s input… But not the fact that B engages in computation of F,
which is an information in itself!
Background: Secure Computation
Covert Computation Can we hide the fact that computation is taking place?
Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F
A
Q: How can we hide that B follows protocol π ?
A: Make π’s messages indistinguishable from $ bits
B/?π for
F
Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F
A
Q: How can we hide that B follows protocol π ?
A: Make π’s messages indistinguishable from $ bits
Q: How can we hide that B follows some protocol ?
A: Run π over a steganographic channel (= always sends $ bits) Network control messages, padding, timing Pictures, music, voice, … Encryption (e.g. VPN router), other crypto (e.g. “kleptography”)
B/$
Covert Computation Can we hide the fact that computation is taking place?
π for
F
Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F
AF(x,y)
x
Q: But doesn’t A’s output z=F(x,y) reveal that B inputs some y?
A: Yes, but F outputs can look $ for many (x,y)’s Authenticated Key Exchange Any authenticated computation…
π for
F
B/$y/?
Covert Computation Can we hide the fact that computation is taking place?
A Bx yD
Distinguishability of F from $ beacon in the ideal world:
F/$
~ ~ Aπ/$
B(y) yD
CovDist F,D,Ã = | Pr[1Ã F(y) | yD] - Pr[1Ã $(F)] |
CovDist π,D,A = | Pr[1A π(y) | yD] - Pr[1A $(π)] |
π covert if A Ã s.t. (1) [standard secure computation requirements] (2) dist. D CovDist F,D,Ã ≈ CovDist π,D,A
Distinguishability of π from $ beacon in the real world:
Covert Computation Covert π = as “random” as the ideal F [vAHL05] (refined in [CGOS07])
Covert Computation What is currently known?
A Bx yD
[vAHL05]: Defined covert 2PC, O(sec.par.)-round protocol for any F[CGOS07]: Defined covert MPC, O(sec.par.)-round protocol for any F[GJ10]: Ω(sec.par.) rounds necessary for covert 2/MPC in plain model
F/$
~ ~ Aπ/$
B(y) yD
Can 2PC/MPC be covert in O(1) rounds in CRS model? Probably (see the last slide)
How about a covert authentication (not necessarily a covert 2PC)? This work: 5 rounds (3 in ROM), ≈30 RSA exp.’s/party
Covert AuthenticationDefinition
KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]
A B(PK,CertA)
If A has no valid (& unrevoked) cert then FAuth ≈ $[FAuth]
Covertness w/o valid (& unrevoked) cert πAuth ≈ $[πAuth]
FAuth
If Ver(PK,CertA) and Ver(PK,CertB)
then KA = KB ( $)
o/w KA KB ( $ $)
(PK,CertB)
KA KB
[ + handling of CRL’s ]
Our work: Game-based definition, no extraction of PK (public input)
& KB
Covert AuthenticationProtocol Idea: (1) Use a “typical” Group Signature Sch.
A BCA = COM(CertA)
Revocation e.g. by ZKP that certificate in C is not on the CRL Our work uses “verifier-local” revocation (w/o ZKP) [BS’04]
(PK,CertB)(PK,CertA)
ZKP[ (PK,CA) LComCert ]
CB = COM(CertB)
ZKP[ (PK,CB) LComCert ]
LComCert = { x=(PK,C) s.t. w=(cert,dec) s.t. Ver(PK,cert)=1 and Decommit(C,cert,dec)=1 }
KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]
Covert AuthenticationProtocol Idea: (1) Use a “typical” Group Signature Sch.
A BCA = COM(CertA) (PK,CertB)(PK,CertA)
ZKP[ (PK,CA) LComCert ]
KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]
P FZKP for L
If w witness for x in Lthen b 1, o/w b 0
V
b
ZKP (for non-trivial L) makes a protocol inherently non-covert !
witness w statement x
= (cert,dec) = (PK,C)
Covert AuthenticationProtocol Idea: (2) Replace ZKP by Covert COT for LGrSig
A BCA = COM(CertA) (PK,CertB)(PK,CertA)
COT[ (PK,CA) LComCert ]
KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]
FCOT for L
If w witness for x in Lthen KR=KS, o/w KR KSKR KS
Rwitness w
= (cert,dec)S
statement x
= (PK,C)
& KS
Covertness: (1) In R’s view πCOT ≈ $[πCOT] if R has no valid w for S’s x (2) In S’s view πCOT ≈ $[πCOT] for all x
Covert Conditional Oblivious Transfer (COT) for L (KEM version)
Strong-soundness: Efficient extraction of w from covertness-breaking R
Covert AuthenticationProtocol Idea: (2) Replace ZKP by Covert COT for LGrSig
A BCA = COM(CertA) (PK,CertB)(PK,CertA)
COT[ (PK,CA) LComCert ]
KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]
FCOT for L
If w witness for x in Lthen KR=KS, o/w KR KSKR KS
Rwitness w
= (cert,dec)S
statement x
= (PK,C)
& KS
Encryption
Conditional OT (COT)
Strongly-Sound COT
Signature
ZK Proof
ZK Proof of Knowledge
Covert Conditional Oblivious Transfer (COT) for L (KEM version)
Covert AuthenticationFull Protocol
A BCA = COM(CertA) (PK,CertB)(PK,CertA)
COT[ (PK,CA) LComCert ]
KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]
KAR KB
S
CB = COM(CertB)
COT[ (PK,CB) LComCert ]KAS KB
R
KB = KBS KB
R
Covertness (assume A has no valid Cert):
(1) A’s view of first COT together with KBS is ≈ $[πCOT
S]
(2) A’s view of CB and of second COT is ≈ $[πCOTR]
A’s view of the whole interaction together with KB is ≈ $
KA = KAR KA
S
& KBS
Covert AuthenticationFull Protocol
A BCA = COM(CertA) (PK,CertB)(PK,CertA)
COT[ (PK,CA) LComCert ]
KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]
KAR KB
S
CB = COM(CertB)
COT[ (PK,CB) LComCert ]KAS KB
R
Covertness (assume A has no valid Cert):
(1) A’s view of first COT together with KBS is ≈ $[πCOT
S]
(2) A’s view of CB and of second COT is ≈ $[πCOTR]
A’s view of the whole interaction together with KB is ≈ $
COT needs to assure extraction of witness w from covertness-breaking Receiver
If Adv who breaks covertness of Authentication Protocol then Reduction extracts a valid certificate (forgery)
& KSKR KS
witness wS
statement x
Assume L = { x=([gij]) s.t. exits w=[wj] s.t.
g1 = (g11)w1 (g12)w2 … (g1n)wn
gm = (gm1)w1 (gm2)w2 … (g1n)wn }
Smooth Projective Hash Function (SPHF) Covert COT
but no extraction of witness w from covertness-breaking R
[ + additive and multiplicative relations between aj’s ]
Constructing Covert COT for LComCert
FCOT for L
If w witness for x in Lthen KR=KS, o/w KR KS
R
R
Compiler from ZKPK+ for LComCert to Covert COT
KR KS
witness wS
statement x
FCOT for L
If w witness for x in Lthen KR=KS, o/w KS KR
a = gr
L = { x s.t. w s.t. x = gw }
e $
z = r + e w
(HV)ZKPK for L
C=COM( )
SPHF[ C=COM(F(x,e,z)) ] If COM = ElGamal PKE thenSPHF for DDH tuple [CS’98]
(+ 2/3 exp’s / party)KSKR
covert COT for L
SIM for this ZKPK+:
z $ , e $
a = F(x,e,z) = gz / xe
R
Compiler from ZKPK+ for LComCert to Covert COT
KR KS
witness wS
statement x
FCOT for L
If w witness for x in Lthen KR=KS, o/w KS KR
L = { x s.t. w s.t. x = gw }
SIM for this ZKPK+:
z $ , e $
a = F(x,e,z) = gz / xe
Covertness from malicious S:
• covert COM [ElGamal]• z $ (by ZKPK+)
• SPHF non-interactive
a = gr
e $
z = r + e w
(HV)ZKPK for L
C=COM( )
SPHF[ C=COM(F(x,e,z)) ]
KSKR
covert COT for L
R
Compiler from ZKPK+ for LComCert to Covert COT
KR KS
witness wS
statement x
FCOT for L
If w witness for x in Lthen KR=KS, o/w KS KR
L = { x s.t. w s.t. x = gw }
SIM for this ZKPK+:
z $ , e $
a = F(x,e,z) = gz / xe
Covertness from malicious R:
(case1) C COM(F(x,e,z))
then KS R’s view of SPHF
a = gr
e $
z = r + e w
(HV)ZKPK for L
C=COM( )
SPHF[ C=COM(F(x,e,z)) ]
KSKR
covert COT for L
R
Compiler from ZKPK+ for LComCert to Covert COT
KR KS
witness wS
statement x
FCOT for L
If w witness for x in Lthen KR=KS, o/w KS KR
L = { x s.t. w s.t. x = gw }
SIM for this ZKPK+:
z $ , e $
a = F(x,e,z) = gz / xe
Covertness from malicious R:
(case2) C = COM(F(x,e,z))
then Forking Lemma w Ext( (e,z) , (e’,z’) )
a = gr
e $
z = r + e w
(HV)ZKPK for L
C=COM( )
SPHF[ C=COM(F(x,e,z)) ]
KSKR
covert COT for L
Extensions / Open Problems
1. Covert 2PC for any F in CRS in O(1) rounds
2. Definitions: Composable Covert MPC ?
3. Shorter Covert Authentication (EC with Bilinear Map)
4. Stronger Covert Authentication: Full-Fledged AKE
5. Other Revocation Models
6. Other Applications of Covertness
(?)
(?)