Download pptx - Practical Covert Authentication

Practical Covert Authentication

Stanislaw Jarecki

University of California at Irvine

Public Key Cryptography 2014

Presentation Plan

1. Introduction to Covert Computation

2. Practical Covert Authentication Protocol O(1) rounds, group elements, exponentiations…

3. Main Tool: Compiler for Covert Conditional OT’s ZKPK+ (Σ-protocol) for language L Covert Conditional OT for L

4. Extensions / Open Problems

Background: Secure Computation

Secure Computation hides all except for what’s revealed by output

AF(x,y) F

xA

A π for F B(y)

~

(eff.) adversary A (eff.) simulator Ã s.t. inputs y

A’s interaction with Ã F(y) ≈ A π(y)

≈

~yB

Voting protocol attempt reveals a potential voter Petition signing attempt reveals a potential signer … Authentication attempt reveals a member of some

organization which uses the authentication protocol, no matter how credential/policy/attribute-hiding that protocol is!

AF(x,y)

x yBπ for

F

Secure computation hides everything it can about B’s input… But not the fact that B engages in computation of F,

which is an information in itself!

Background: Secure Computation

Covert Computation Can we hide the fact that computation is taking place?

Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F

A

Q: How can we hide that B follows protocol π ?A: Make π’s messages indistinguishable from $ bits

B/?π for

F


A

Q: How can we hide that B follows protocol π ?A: Make π’s messages indistinguishable from $ bits

Q: How can we hide that B follows some protocol ?A: Run π over a steganographic channel (= always sends $ bits) Network control messages, padding, timing Pictures, music, voice, … Encryption (e.g. VPN router), other crypto (e.g. “kleptography”)

B/$


π for

F


AF(x,y)

x

Q: But doesn’t A’s output z=F(x,y) reveal that B inputs some y?

A: Yes, but F outputs can look $ for many (x,y)’s Authenticated Key Exchange Any authenticated computation…

π for

FB/$

y/?


A Bx yD

Distinguishability of F from $ beacon in the ideal world:

F/$

~ ~ Aπ/$

B(y) yD

CovDist F,D,Ã = | Pr[1Ã F(y) | yD] - Pr[1Ã $(F)] |

CovDist π,D,A = | Pr[1A π(y) | yD] - Pr[1A $(π)] |

π covert if A Ã s.t. (1) [standard secure computation requirements] (2) dist. D CovDist F,D,Ã ≈ CovDist π,D,A

Distinguishability of π from $ beacon in the real world:

Covert Computation Covert π = as “random” as the ideal F [vAHL05] (refined in [CGOS07])

Covert Computation What is currently known?

A Bx yD

[vAHL05]: Defined covert 2PC, O(sec.par.)-round protocol for any F[CGOS07]: Defined covert MPC, O(sec.par.)-round protocol for any F[GJ10]: Ω(sec.par.) rounds necessary for covert 2/MPC in plain model

F/$

~ ~ Aπ/$

B(y) yD

Can 2PC/MPC be covert in O(1) rounds in CRS model? Probably (see the last slide)

How about a covert authentication (not necessarily a covert 2PC)? This work: 5 rounds (3 in ROM), ≈30 RSA exp.’s/party

Covert AuthenticationDefinition

KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme]

A B(PK,CertA)

If A has no valid (& unrevoked) cert then FAuth ≈ $[FAuth]Covertness w/o valid (& unrevoked) cert πAuth ≈ $[πAuth]

FAuth

If Ver(PK,CertA) and Ver(PK,CertB) then KA = KB ( $)

o/w KA KB ( $ $)

(PK,CertB)

KA KB

[ + handling of CRL’s ]

Our work: Game-based definition, no extraction of PK (public input)

& KB

Covert AuthenticationProtocol Idea: (1) Use a “typical” Group Signature Sch.

A BCA = COM(CertA)

Revocation e.g. by ZKP that certificate in C is not on the CRL Our work uses “verifier-local” revocation (w/o ZKP) [BS’04]

(PK,CertB)(PK,CertA)

ZKP[ (PK,CA) LComCert ]

CB = COM(CertB)

ZKP[ (PK,CB) LComCert ]

LComCert = { x=(PK,C) s.t. w=(cert,dec) s.t. Ver(PK,cert)=1 and Decommit(C,cert,dec)=1 }


Covert AuthenticationProtocol Idea: (1) Use a “typical” Group Signature Sch.

A BCA = COM(CertA) (PK,CertB)(PK,CertA)

ZKP[ (PK,CA) LComCert ]


P FZKP for L

If w witness for x in Lthen b 1, o/w b 0

V

b

ZKP (for non-trivial L) makes a protocol inherently non-covert !

witness w statement x= (cert,dec) = (PK,C)

Covert AuthenticationProtocol Idea: (2) Replace ZKP by Covert COT for LGrSig


COT[ (PK,CA) LComCert ]


FCOT for L

If w witness for x in Lthen KR=KS, o/w KR KSKR KS

R witness w= (cert,dec) Sstatement x

= (PK,C)

& KS

Covertness: (1) In R’s view πCOT ≈ $[πCOT] if R has no valid w for S’s x (2) In S’s view πCOT ≈ $[πCOT] for all x

Covert Conditional Oblivious Transfer (COT) for L (KEM version)

Strong-soundness: Efficient extraction of w from covertness-breaking R

Covert AuthenticationProtocol Idea: (2) Replace ZKP by Covert COT for LGrSig




FCOT for L

If w witness for x in Lthen KR=KS, o/w KR KSKR KS

R witness w= (cert,dec) Sstatement x

= (PK,C)

& KS

EncryptionConditional OT (COT)Strongly-Sound COT

SignatureZK Proof

ZK Proof of Knowledge

Covert Conditional Oblivious Transfer (COT) for L (KEM version)

Covert AuthenticationFull Protocol




KAR KB

S

CB = COM(CertB)

COT[ (PK,CB) LComCert ]KAS KB

R

KB = KBS KB

R

Covertness (assume A has no valid Cert):(1) A’s view of first COT together with KB

S is ≈ $[πCOTS]

(2) A’s view of CB and of second COT is ≈ $[πCOTR]

A’s view of the whole interaction together with KB is ≈ $

KA = KAR KA

S

& KBS

Covert AuthenticationFull Protocol




KAR KB

S

CB = COM(CertB)

COT[ (PK,CB) LComCert ]KAS KB

R

Covertness (assume A has no valid Cert):(1) A’s view of first COT together with KB

S is ≈ $[πCOTS]

(2) A’s view of CB and of second COT is ≈ $[πCOTR]

A’s view of the whole interaction together with KB is ≈ $

COT needs to assure extraction of witness w from covertness-breaking Receiver

If Adv who breaks covertness of Authentication Protocol then Reduction extracts a valid certificate (forgery)

& KSKR KS

witness w Sstatement x

Assume L = { x=([gij]) s.t. exits w=[wj] s.t.

g1 = (g11)w1 (g12)w2 … (g1n)wn

gm = (gm1)w1 (gm2)w2 … (g1n)wn }

Smooth Projective Hash Function (SPHF) Covert COTbut no extraction of witness w from covertness-breaking R

[ + additive and multiplicative relations between aj’s ]

Constructing Covert COT for LComCert

FCOT for L

If w witness for x in Lthen KR=KS, o/w KR KS

R

R

Compiler from ZKPK+ for LComCert to Covert COT

KR KS

witness w Sstatement xFCOT for L

If w witness for x in Lthen KR=KS, o/w KS KR

a = gr

L = { x s.t. w s.t. x = gw }

e $

z = r + e w

(HV)ZKPK for L

C=COM( )

SPHF[ C=COM(F(x,e,z)) ] If COM = ElGamal PKE thenSPHF for DDH tuple [CS’98]

(+ 2/3 exp’s / party)KSKR

covert COT for LSIM for this ZKPK+:

z $ , e $

a = F(x,e,z) = gz / xe

R


KR KS



L = { x s.t. w s.t. x = gw }

SIM for this ZKPK+:z $ , e $


Covertness from malicious S:• covert COM [ElGamal]• z $ (by ZKPK+)• SPHF non-interactive

a = gr

e $

z = r + e w

(HV)ZKPK for L

C=COM( )

SPHF[ C=COM(F(x,e,z)) ]

KSKR

covert COT for L

R


KR KS



L = { x s.t. w s.t. x = gw }



Covertness from malicious R:(case1) C COM(F(x,e,z)) then KS R’s view of SPHF

a = gr

e $

z = r + e w

(HV)ZKPK for L

C=COM( )


KSKR

covert COT for L

R


KR KS



L = { x s.t. w s.t. x = gw }



Covertness from malicious R:(case2) C = COM(F(x,e,z)) then Forking Lemma w Ext( (e,z) , (e’,z’) )

a = gr

e $

z = r + e w

(HV)ZKPK for L

C=COM( )


KSKR

covert COT for L

Extensions / Open Problems

1. Covert 2PC for any F in CRS in O(1) rounds

2. Definitions: Composable Covert MPC ?

3. Shorter Covert Authentication (EC with Bilinear Map)

4. Stronger Covert Authentication: Full-Fledged AKE

5. Other Revocation Models

6. Other Applications of Covertness

(?)

(?)

Extensions / Open Problems

1. Covert 2PC for any F in CRS in O(1) rounds

2. Shorter Covert Authentication (EC with Bilinear Map)

3. Stronger Covert Authentication: Full-Fledged AKE

4. Other Revocation Models

5. Other Applications of Covertness

… Many Others Topics in Covert Computation to Explore!