From: Mark Wooding Date: Mon, 21 Sep 2009 17:04:12 +0000 (+0100) Subject: Work in progress. This lot needs some serious sorting out. X-Git-Url: https://git.distorted.org.uk/~mdw/doc/wrestlers/commitdiff_plain/32609df3198ff2b57dc418199e863c3e16ffa8f0 Work in progress. This lot needs some serious sorting out. --- diff --git a/.gitignore b/.gitignore index 87b6f92..7b583d8 100644 --- a/.gitignore +++ b/.gitignore @@ -11,7 +11,6 @@ *.blg *.tmp *.toc -Makefile Makefile.in aclocal.m4 autom4te.cache @@ -21,3 +20,11 @@ install-sh missing COPYING Makefile.am +*.stamp +*-stamp +*.ps.gz +*.mpx +*.mps +*.snm +*.nav +*.out diff --git a/.links b/.links deleted file mode 100644 index 5ecd9c6..0000000 --- a/.links +++ /dev/null @@ -1 +0,0 @@ -COPYING diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..03ab382 --- /dev/null +++ b/Makefile @@ -0,0 +1,72 @@ +### -*-makefile-*- +### +### Makefile for Wrestlers protocol documents +### +### (c) 2008 Mark Wooding +### + +###----- Licensing notice --------------------------------------------------- +### +### This program is free software; you can redistribute it and/or modify +### it under the terms of the GNU General Public License as published by +### the Free Software Foundation; either version 2 of the License, or +### (at your option) any later version. +### +### This program is distributed in the hope that it will be useful, +### but WITHOUT ANY WARRANTY; without even the implied warranty of +### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +### GNU General Public License for more details. +### +### You should have received a copy of the GNU General Public License +### along with this program; if not, write to the Free Software Foundation, +### Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +###-------------------------------------------------------------------------- +### Various useful tools. + +CLEANFILES = *-stamp + +## MetaPost +MPOST = mpost +CLEANFILES += *.[0-9]* *.mps +%.mpost-stamp: %.mp + $(MPOST) $< + for i in $*.[0-9]*; do mv $$i $*-$${i##*.}.mps || exit 1; done + echo timestamp >$@ + +## LaTeX and frinds +CLEANFILES += *.log *.dvi *.ps *.toc *.lot *.lof *.aux *.pdf *.bbl *.blg +CLEANFILES += *.out +%.pdf: %.ps; pstopdf $< +%.ps: %.dvi; dvips -o $@.new $< && mv $@.new $@ +%.dvi: %.dvi-stamp; +%.gz: %; gzip -9vc $^ >$@.new && mv $@.new $@ + +###-------------------------------------------------------------------------- +### Making the main paper. + +all:: wrestlers.ps wrestlers.ps.gz wrestlers.pdf +wrestlers.dvi-stamp: wrestlers.tex + ./build-latex.sh wrestlers bibtex $< \ + '\let\iffancystyle\iftrue' + +all:: wr-llncs.ps wr-llncs.ps.gz wr-llncs.pdf +wr-llncs.dvi-stamp: wrestlers.tex + ./build-latex.sh wr-llncs bibtex $< \ + '\let\iffancystyle\iffalse \let\ifshort\iftrue' + +###-------------------------------------------------------------------------- +### Making the slides. + +all:: wr-slides.pdf-stamp +wr-slides.pdf-stamp: wrslides.tex wr-main.tex + ./build-latex.sh wr-slides pdf $< \ + '\includeonly{wr-main}' + +###-------------------------------------------------------------------------- +### Useful stuff. + +.PHONY: clean +clean:; rm -f $(CLEANFILES) + +###----- That's all, folks -------------------------------------------------- diff --git a/Makefile.m4 b/Makefile.m4 deleted file mode 100644 index 4570914..0000000 --- a/Makefile.m4 +++ /dev/null @@ -1,88 +0,0 @@ -## -*-fundamental-*- -## -## $Id: Makefile.m4,v 1.1 2002/02/24 15:43:20 mdw Exp $ -## -## Makefile for IPS -## -## (c) 2002 Mark Wooding -## - -##----- Licensing notice ---------------------------------------------------- -## -## This program is free software; you can redistribute it and/or modify -## it under the terms of the GNU General Public License as published by -## the Free Software Foundation; either version 2 of the License, or -## (at your option) any later version. -## -## This program is distributed in the hope that it will be useful, -## but WITHOUT ANY WARRANTY; without even the implied warranty of -## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -## GNU General Public License for more details. -## -## You should have received a copy of the GNU General Public License -## along with this program; if not, write to the Free Software Foundation, -## Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - -AUTOMAKE_OPTIONS = foreign - -SRC = \ - wrslides.tex wrslides.cls \ - wr-backg.tex wr-main.tex ecc.mp \ - wrestlers.tex - -changequote([[, ]]) - -define([[DOECC]], [[mpost ecc.mp && mptopdf ecc.0 &&]]) -define([[L1]], [[latex $1]]) -define([[LFULL]], - [[latex $1 && bibtex $1 && latex $1 && latex $1 && latex $1]]) -define([[OUTPUTS]], [[dnl -_([[notes]], [[L1]], [[wrslides]], - [[\wrslidesfalse]], [[DOECC]])dnl -_([[slides]], [[L1]], [[wrslides]], - [[\wrslidestrue\includeonly{wr-main}]], [[DOECC]])dnl -_([[longslides]], [[L1]], [[wrslides]], - [[\wrslidestrue]], [[DOECC]])dnl -_([[paper]], [[LFULL]], [[wrestlers]], [[]])dnl -_([[llncs]], [[LFULL]], [[wrestlers]], [[\fancystylefalse\shorttrue]])dnl -]]) -define([[adorn]], [[define([[_]], [[$2$]][[1$3 ]])$1]]) -define([[tags]], [[adorn([[$1]])]]) -define([[addsuffix]], [[adorn([[$1]], [[wr-]], [[$2]])]]) - -DVI = addsuffix([[OUTPUTS]], [[.dvi]]) -DVIGZ = addsuffix([[OUTPUTS]], [[.dvi.gz]]) -PS = addsuffix([[OUTPUTS]], [[.ps]]) -PSGZ = addsuffix([[OUTPUTS]], [[.ps.gz]]) -PDF = addsuffix([[OUTPUTS]], [[.pdf]]) - -noinst_DATA = $(DVI) $(DVIGZ) $(PS) $(PSGZ) $(PDF) - -define([[_]], [[dnl -wr-$1.dvi: $(SRC) - @if [ ! -d $1 ]; then \ - mkdir $1; \ - for i in $(SRC); do ln -s ../$(srcdir)/$$i $1; done; \ - echo '$4' >$1/wr.cfg; \ - fi - cd $1 && $5 $2($3) && cp $3.dvi ../wr-$1.dvi -wr-$1.pdf: wr-$1.dvi - cd $1 && pdflatex $3 && cp $3.pdf ../wr-$1.pdf -]]) -OUTPUTS - -%.gz: %; gzip -9cv $^ >$@.new && mv $@.new $@ -%.ps: %.dvi; dvips -o $@ $^ - -CLEANFILES = *.dvi *.ps $(DVIGZ) $(PSGZ) $(PDF) *.[0-9] *-[0-9].pdf - -Makefile.am: Makefile.m4 - cd $(srcdir) && m4 Makefile.m4 >Makefile.am - -EXTRA_DIST = $(SRC) Makefile.m4 - -clean:; rm -rf tags([[OUTPUTS]]) && rm -f $(CLEANFILES) - -.PHONY: dvi - -##----- That's all, folks --------------------------------------------------- diff --git a/build-latex.sh b/build-latex.sh new file mode 100755 index 0000000..869cb28 --- /dev/null +++ b/build-latex.sh @@ -0,0 +1,27 @@ +#! /bin/sh + +set -e +jobname=$1 opts=$2 file=$3 preamble=$4 + +case ",$opts," in + *,pdf,*) tex=pdflatex ext=pdf;; + *) tex=latex ext=dvi;; +esac + +for i in toc lot lof aux ind idx ilg bbl blg log; do + rm -f "$jobname".$i +done + +$tex -jobname "$jobname" "\\relax $preamble \\input $file" +case ",$opts," in *,bibtex,*) bibtex "$jobname".aux;; esac +$tex -jobname "$jobname" "\\relax $preamble \\input $file" +$tex -jobname "$jobname" "\\relax $preamble \\input $file" +case ",$opts," in + *,index=*,*) + ist=$(echo "$opts" | sed 's:.*,index=\([^,]*\),.*$:\1:') + makeindex -s"$ist" "$jobname".idx + ;; +esac +$tex -jobname "$jobname" "\\relax $preamble \\input $file" + +echo timestamp >"$jobname".$ext-stamp diff --git a/configure.in b/configure.in deleted file mode 100644 index 35b95e9..0000000 --- a/configure.in +++ /dev/null @@ -1,30 +0,0 @@ -dnl -*-fundamental-*- -dnl -dnl $Id: configure.in,v 1.2 2002/07/17 08:52:06 mdw Exp $ -dnl -dnl Dummy configuration script for Wrestlers Protocol paper -dnl -dnl (c) 2002 Mark Wooding -dnl - -dnl ----- Licensing notice -------------------------------------------------- -dnl -dnl This program is free software; you can redistribute it and/or modify -dnl it under the terms of the GNU General Public License as published by -dnl the Free Software Foundation; either version 2 of the License, or -dnl (at your option) any later version. -dnl -dnl This program is distributed in the hope that it will be useful, -dnl but WITHOUT ANY WARRANTY; without even the implied warranty of -dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -dnl GNU General Public License for more details. -dnl -dnl You should have received a copy of the GNU General Public License -dnl along with this program; if not, write to the Free Software Foundation, -dnl Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - -AC_INIT(wrestlers.tex) -AM_INIT_AUTOMAKE(wrestlers, 1.0.0) -AC_OUTPUT(Makefile) - -dnl ----- That's all, folks ------------------------------------------------- diff --git a/wr-main.tex b/wr-main.tex index 3df0e46..e876700 100644 --- a/wr-main.tex +++ b/wr-main.tex @@ -1,26 +1,20 @@ -\xcalways\section{The Wrestlers Protocol}\x +\section{The Wrestlers Protocol} +\frame{\tableofcontents[currentsection]} -\xcalways\subsection{Identification using Diffie-Hellman}\x +\subsection{Identification using Diffie-Hellman} -\begin{slide} - \resetseq - \head{Identification using Diffie-Hellman \seq: properties} - \topic{properties} - - \begin{itemize} +\begin{frame}{Identification using Diffie-Hellman: properties} + \begin{itemize}[<+->] \item Simple -- easy to remember, analyse and implement \item Practical -- two scalar multiplications for each party \item Secure -- under Computational Diffie-Hellman assumption \item Zero-knowledge -- statistical ZK \item Proofs in random oracle model -- but without `programming' \end{itemize} -\end{slide} - -\begin{slide} - \head{Identification using Diffie-Hellman \seq: basic setting} - \topic{setting} +\end{frame} - \begin{itemize} +\begin{frame}{Identification using Diffie-Hellman: basic setting} + \begin{itemize}[<+->] \item Cyclic group $(G, +)$ \item $|G| = q$ is prime \item $P$ generates $G$ @@ -28,222 +22,237 @@ \item Alice's public key is $A = a P$ \item Assume computational Diffie-Hellman problem hard in $G$ \end{itemize} -\end{slide} - -\begin{slide} - \head{Identification using Diffie-Hellman \seq: na\"\i ve attempt} - \topic{protocol design} - - \begin{protocol} - Alice & Bob \\ - (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$) - \\[\medskipamount] - & $r \getsr \Nupto{q}$; \\ - & $R \gets r P$; \\ - \\ - \\ - \\ - \send{<-}{R} - $Y \gets a R$; \\ - \\ - \\ - \\ - \send{->}{Y} - & \textbf{Check} $Y = r A$ - \end{protocol} -\end{slide} - -\begin{slide} - \head{Identification using Diffie-Hellman \seq: fix it with a hash} - \protocolskip0pt - - \begin{protocol} - Alice & Bob \\ - (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$) - \\[\medskipamount] - & $r \getsr \Nupto{q}$; \\ - & $R \gets r P$; \\ - & $Y \gets r A$; \\ - & \diff $h \gets H(\cookie{check}, R, Y)$; \\ - & \\ - \send{<-}{(R, \hbox{\diff $h$})} - $Y \gets a R$; \\ - \\ - \\ - \diff \textbf{Check} $h = H(\cookie{check}, R, Y)$ \\ - \send{->}{Y} - & \textbf{Check} $Y$ - \end{protocol} - \dots but there are still small-subgroup attacks -\end{slide} - -\begin{slide} - \head{Identification using Diffie-Hellman \seq: Stinson-Wu [SW06]} - \protocolskip0pt - - \begin{protocol} - Alice & Bob \\ - (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$) - \\[\medskipamount] - & $r \getsr \Nupto{q}$; \\ - & $R \gets r P$; \\ - & $Y \gets r A$; \\ - & $h \gets H(\cookie{check}, Y)$; \\ - & \\ - \send{<-}{(R, h)} - $Y \gets a R$; \\ - \\ - \diff \textbf{Check} $q R = 0$; \\ - \textbf{Check} $h = H(\cookie{check}, Y)$ \\ - \send{->}{Y} - & \textbf{Check} $Y$ - \end{protocol} - \dots and apply the Knowledge of Exponent assumption -\end{slide} - -\begin{slide} - \head{Identification using Diffie-Hellman \seq: the Wrestlers Protocol - $\Wident$} - - \begin{protocol} - Alice & Bob \\ - (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$) - \\[\medskipamount] - & $r \getsr \Nupto{q}$; \\ - & $R \gets r P$; \\ - & $Y \gets r A$; \\ - & $h \gets H(\cookie{check}, R, Y)$; \\ - & \diff $c \gets h \xor r$; \\ - \send{<-}{(R, \hbox{\diff $c$})} - $Y \gets a R$; \\ - $h \gets H(\cookie{check}, R, Y)$; \\ - \diff $r \gets c \xor h$; \\ - \diff \textbf{Check} $R = r P$ \\ - \send{->}{Y} - & \textbf{Check} $Y$ - \end{protocol} -\end{slide} - -\begin{slide} - \head{Identification using Diffie-Hellman \seq: identification-based - $\Wident$} - - \begin{protocol} - Alice & Bob \\ - (Private key $K_A = t I_A$) & - (Public key $I_A = H(\cookie{id}, \text{Alice})$) - \\[\medskipamount] - & $r \getsr \Nupto{q}$; \\ - & $R \gets r P$; \\ - & \diff $Y \gets \hat{e}(T, I_A)^r$; \\ - & $h \gets H(\cookie{check}, R, Y)$; \\ - & $c \gets h \xor r$; \\ - \send{<-}{(R, c)} - \diff $Y \gets \hat{e}(R, K_A)$; \\ - $h \gets H(\cookie{check}, R, Y)$; \\ - $r \gets c \xor h$; \\ - \textbf{Check} $R = r P$ \\ - \send{->}{Y} - & \textbf{Check} $Y$ +\end{frame} + +\begin{frame}{Identification using Diffie-Hellman: protocols} + %% Overlays: + %% 1 - basic setup (alice's keys) + %% naïve version + %% 2 - bob makes eqphemeral keys + %% 3 - bob sends challenge to alice + %% 4 - alice computes response and sends it back + %% 5 - bob computes expected answer + %% 6 - bob checks alice's response + %% 7 - remark? + %% hash fix (8) + %% 9 - bob computes check hash and sends it + %% 10 - alice verifies the hash + %% 11 - remark? + %% stinson-wu (12) + %% 13 - check subgroup membership + %% 14 - don't hash U + %% 15 - remark? + %% wrestlers (16) + %% 17 - bob computes and sends c + %% 18 - alice recovers and checks u + \begin{protocol}{5}{16} + \node [alice, thoughts] at (0, 2) + {Private: $a \inr \Nupto{q}$ \\ + Public: $A = a P$}; + \uncover<2->{ + \node [bob, thoughts] at (0, 4) + {{$u \getsr \Nupto{q}$; \\ + $U \gets u P$; \\ + \action<5->{$Y \gets u A$;} \\ + \action<9-| alert@9-11>{$ + h \gets H(\cookie{check}, + \only<9-13,16->{U, Y} + \action{Y}) + $;} \\ + \action<17-| alert@17-> { + $c \gets u \xor h$; + } + }}; + } + \uncover<3->{ + \path [message, ->] (0, 10) -- node [above] + {{\vphantom{$,$} + \only<3-8>{$U$} + \only<9-16>{$U, \alert<9-11>{h}$} + \only<17->{$U, \alert<17->{c}$} }} + +(1, 0); + } + \uncover<4->{ + \node [alice, thoughts] at (0, 10) + {{$Y' \gets a U$; \\ + \action + {Check $h = H(\cookie{check}, + \only<10-13,16->{U, Y} + \action{Y}) + $; \\} + \only<17-> + {$h' \gets H(\cookie{check}, U, Y)$; \\} + \action{Check $q U = 0$;} + \action{ + $r' \gets h' \xor c$; \\ + Check $r' P = U$; + }}}; + \path [message, <-] (0, 14) -- node [above] {$Y'$} +(1, 0); + } + \uncover<6->{ + \node [bob, thoughts] at (0, 14) {Check $Y = Y'$;}; + } \end{protocol} - (Trusted authority's private key $t \inr \Nupto{q}$; public key $T = t P$) -\end{slide} - -\xcalways\subsection{Key exchange}\x - -\begin{slide} - \resetseq - \head{Mutual identification \seq: Bob identifies Alice} - \topic{mutual identification} - - \begin{protocol} - Alice & Bob \\ - (Private key $a$, public key $A = a P$) - \\[\medskipamount] - & $r_B \getsr \Nupto{q}$; \\ - & $R_B \gets r_B P$; \\ - \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))} - \\ - $Y_B \gets a R_B$; \\ - \\ - \send{->}{Y_B} - \end{protocol} -\end{slide} - -\begin{slide} - \head{Mutual identification \seq: Alice identifies Bob too} - - \begin{protocol} - Alice & Bob \\ - (Private key $a$, public key $A = a P$) & - \other (Private key $b$, public key $B = b P$) - \\[\medskipamount] - \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\ - \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\ - \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))} - \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))} - $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\ - \\ - \send{->}{Y_B} - \send{<-}{\other Y_A} - \end{protocol} -\end{slide} - -\begin{slide} - \head{Mutual identification \seq: key exchange?} - - \begin{protocol} - Alice & Bob \\ - (Private key $a$, public key $A = a P$) & - \other (Private key $b$, public key $B = b P$) - \\[\medskipamount] - \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\ - \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\ - \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))} - \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))} - $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\ - \\ - \send{->}{Y_B} - \send{<-}{\other Y_A} - \diff $Z \gets r_A R_B$; & \diff $Z \gets r_B R_A$; + \par\vskip-\bigskipamount + \begin{itemize} + \item Naïve attempt + \only<7>{-- lots of attacks against this protocol.} + \item Fix it with a hash + \only<11>{-- still open to small-subgroup attacks.} + \item Stinson-Wu [SW06] + \only<15>{-- and assume Knowledge of Exponent.} + \item The Wrestlers identification protocol $\Wident$. + \end{itemize} \par +\end{frame} + +\subsection{Key exchange} + +\begin{frame}{Mutual identification: protocol} + \begin{protocol}{4}{14} + \node [alice, thoughts] at (0, 2) + {\footnotesize Private $a$; public $A = a P$}; + + \node [bob, thoughts] at (0, 3) + {{ $u \getsr \Nupto{q}$; \\ + $U \gets u P$; + $Y_B \gets u A$; }}; + \path [message, ->] (0, 5.5) -- node [above] + {$U, u \xor H(\cookie{check}, U, Y_B$)} + +(1, 0); + + \node [alice, thoughts] at (0, 8) + {{ $Y'_B \gets a U$; }}; + \path [message, <-] (0, 9) -- node [above] + {$Y'_B$} + +(1, 0); + + \only<2->{ + \node [bob, other, thoughts] at (0, 2) + {\footnotesize Private $b$; public $B = b P$}; + + \node [alice, other, thoughts] at (0, 3) + {{ $v \getsr \Nupto{q}$; \\ + $V \gets v P$; + $Y_A \gets v B$; }}; + \path [message, other, <-] (0, 7) -- node [above] + {$V, v \xor H(\cookie{check}, V, Y_A$)} + +(1, 0); + + \node [bob, other, thoughts] at (0, 8) + {{ $Y'_A \gets b V$; }}; + \path [message, other, ->] (0, 10.5) -- node [above] + {$Y'_A$} + +(1, 0); + } + \action<3-| alert@3->{ + \node [bob, thoughts] at (0, 11) {$Z \gets u V = u v P$;}; + \node [alice, thoughts] at (0, 11) {$Z \gets v U = u v P$;}; + } \end{protocol} - \bigskip - Unfortunately it's not secure. -\end{slide} - -\begin{slide} - \resetseq - \head{Key exchange \seq: properties} - \topic{properties} - + \par\vskip-\bigskipamount \begin{itemize} - \item Simple -- symmetrical; based on mutual identification - \item Practical -- three, four or five flows; four multiplications by each - party - \item Secure -- provides SK-security in model of [CK01] - \item Deniable -- simulator can produce convincing transcripts - \item Proofs in random oracle model -- again without `programming' + \item<3-> We can do ephemeral Diffie-Hellman with the challenges! + \item<4-> Unfortunately, it's not secure. \end{itemize} -\end{slide} +\end{frame} -\begin{slide} - \head{Key exchange \seq: setting} - \topic{setting} +\begin{frame}{Key exchange: properties} + \begin{itemize}[<+->] + \item Simple -- symmetrical; based on mutual identification. + \item Practical -- three, four or five flows; four multiplications by each + party. + \item Secure -- provides SK-security in model of [CK01]. + \item Deniable -- simulator can produce convincing transcripts. + \item Proofs in random oracle model -- again without `programming'. + \end{itemize} +\end{frame} - \begin{itemize} - \item Cyclic group $(G, +)$ - \item $|G| = q$ is prime - \item $P$ generates $G$ +\begin{frame}{Key exchange: setting} + \begin{itemize}[<+->] + \item Cyclic group $(G, +)$. + \item $|G| = q$ is prime. + \item $P$ generates $G$. \item Alice's private key is $a \inr \Nupto{q}$; her public key is $A = a - P$ + P$. \item Bob's private key is $b \inr \Nupto{q}$; his public key is $B = b - P$ - \item Symmetric IND-CCA encryption scheme $\E = (\kappa, E, D)$ - \item Assume computational Diffie-Hellman problem hard in $G$ + P$. + \item Symmetric IND-CCA encryption scheme $\E = (\kappa, E, D)$. + \item Assume computational Diffie-Hellman problem hard in $G$. \end{itemize} -\end{slide} +\end{frame} + +\begin{frame}{Key exchange: protocols} + %% overlays + %% 1 - original broken protocol + %% 2 - encrypt responses + %% 3 - session-ids + %% 4 - pre-challenges + \begin{protocol}{3.9}{17} + \node [alice, thoughts] at (0, 1.5) + {\footnotesize Private $a$; public $A = a P$}; + + \node [bob, thoughts] at (0, 3) + {{ $u \getsr \Nupto{q}$; \\ + $U \gets u P$; + $Y_B \gets u A$; }}; + \only<4-> + {\path [message, ->] (0, 6) -- node [above] {$\alert<4>{U}$} +(1, 0);} + \path [message, ->] (0, 9) -- node [above] + {$U, u \xor H(\cookie{check}, + \only<3->{\alert<3>{B}, \alert<3>{s},} + \only<4->{\alert<4>{V},} + U, Y_B$)} + +(1, 0); + + \node [alice, thoughts] at (0, 11) + {{\strut + \only<1>{$Z \gets v U$; \\}% + \action + {$(K, \hat{K}) \gets H(\cookie{key}, v U)$; \\}% + $Y'_B \gets a U$; }}; + \path [message, <-] (0, 13.5) -- node [above] + {$\action{E_{\hat{K}}(} + Y'_B + \action{)}$} + +(1, 0); + + \node [bob, other, thoughts] at (0, 1.5) + {\footnotesize Private $b$; public $B = b P$}; + + \node [alice, other, thoughts] at (0, 3) + {{ $v \getsr \Nupto{q}$; \\ + $V \gets v P$; + $Y_A \gets v B$; }}; + \only<4-> + {\path [message, other, <-] (0, 7.5) -- + node [above] {$\alert<4>{V}$} +(1, 0);} + \path [message, other, <-] (0, 10.5) -- node [above] + {$V, v \xor H(\cookie{check}, + \only<3->{\alert<3>{A}, \alert<3>{s},} + \only<4->{\alert<4>{U},} + V, Y_A$)} + +(1, 0); + + \node [bob, other, thoughts] at (0, 11) + {{\strut + \only<1>{$Z \gets u V$; \\}% + \action + {$(K, \hat{K}) \gets H(\cookie{key}, u V)$; \\}% + $Y'_A \gets b V$; }}; + \path [message, other, ->] (0, 15) -- node [above] + {${\action{E_{\hat{K}}(}} + Y'_A + {\action{)}}$} + +(1, 0); + \node [bob, thoughts] at (0, 15.5) {Use key $K$;}; + \node [alice, thoughts] at (0, 15.5) {Use key $K$;}; + \end{protocol} +\end{frame} -\begin{slide} +\endinput + + +\begin{frame} \head{Key exchange \seq: broken first attempt} \topic{protocol design} @@ -252,21 +261,21 @@ (Private key $a$, public key $A = a P$) & \other (Private key $b$, public key $B = b P$) \\[\medskipamount] - \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\ - \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\ + \other $u_A \getsr \Nupto{q}$; & $u \getsr \Nupto{q}$; \\ + \other $U_A \gets u_A P$ & $U \gets u P$; \\ \\ \\ - \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))} - \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))} - $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\ - $Z \gets r_A R_B$; & $Z \gets r_B R_A$; \\ - \send{->}{(R_A, Y_B)} - \send{<-}{\other (R_B, Y_A)} + \send{<-}{(U, u \xor H(\cookie{check}, U, Y_B))} + \send{->}{\other (U_A, u_A \xor H(\cookie{check}, U_A, Y_A))} + $Y_B \gets a U$; & \other $Y_A \gets b U$; \\ + $Z \gets u_A U$; & $Z \gets u U_A$; \\ + \send{->}{(U_A, Y_B)} + \send{<-}{\other (U, Y_A)} Key is $Z$ & Key is $Z$ \end{protocol} -\end{slide} +\end{frame} -\begin{slide} +\begin{frame} \head{Key exchange \seq: solution -- encrypt responses} \begin{protocol} @@ -274,22 +283,22 @@ (Private key $a$, public key $A = a P$) & \other (Private key $b$, public key $B = b P$) \\[\medskipamount] - \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\ - \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\ + \other $u_A \getsr \Nupto{q}$; & $u \getsr \Nupto{q}$; \\ + \other $U_A \gets u_A P$ & $U \gets u P$; \\ \\ \\ - \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))} - \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))} - $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\ - \diff $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; & - \diff $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\ - \send{->}{(R_A, \hbox{\diff $E_{K_0}(Y_B)$})} - \send{<-}{\other (R_B, \hbox{\diff $E_{K_0}(Y_A)$})} + \send{<-}{(U, u \xor H(\cookie{check}, U, Y_B))} + \send{->}{\other (U_A, u_A \xor H(\cookie{check}, U_A, Y_A))} + $Y_B \gets a U$; & \other $Y_A \gets b U$; \\ + \diff $(K_0, K_1) \gets H(\cookie{key}, u_A U)$; & + \diff $(K_0, K_1) \gets H(\cookie{key}, u U_A)$; \\ + \send{->}{(U_A, \hbox{\diff $E_{K_0}(Y_B)$})} + \send{<-}{\other (U, \hbox{\diff $E_{K_0}(Y_A)$})} Key is $K_1$ & Key is $K_1$ \end{protocol} -\end{slide} +\end{frame} -\begin{slide} +\begin{frame} \head{Key exchange \seq: multiple sessions} \begin{protocol} @@ -297,25 +306,25 @@ (Private key $a$, public key $A = a P$) & \other (Private key $b$, public key $B = b P$) \\[\medskipamount] - \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\ - \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\ + \other $u_A \getsr \Nupto{q}$; & $u \getsr \Nupto{q}$; \\ + \other $U_A \gets u_A P$ & $U \gets u P$; \\ \\ \\ - \send{<-}{(R_B, r_B \xor H(\cookie{check}, - \hbox{\diff $B$}, \hbox{\diff $s$}, R_B, Y_B))} - \send{->}{\other (R_A, r_A \xor H(\cookie{check}, - \hbox{\diff $A$}, \hbox{\diff $s$}, R_A, Y_A))} - $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\ - $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; & - $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\ - \send{->}{(R_A, E_{K_0}(Y_B))} - \send{<-}{\other (R_B, E_{K_0}(Y_A))} + \send{<-}{(U, u \xor H(\cookie{check}, + \hbox{\diff $B$}, \hbox{\diff $s$}, U, Y_B))} + \send{->}{\other (U_A, u_A \xor H(\cookie{check}, + \hbox{\diff $A$}, \hbox{\diff $s$}, U_A, Y_A))} + $Y_B \gets a U$; & \other $Y_A \gets b U$; \\ + $(K_0, K_1) \gets H(\cookie{key}, u_A U)$; & + $(K_0, K_1) \gets H(\cookie{key}, u U_A)$; \\ + \send{->}{(U_A, E_{K_0}(Y_B))} + \send{<-}{\other (U, E_{K_0}(Y_A))} Key is $K_1$ & Key is $K_1$ \end{protocol} (Session id is $s$) -\end{slide} +\end{frame} -\begin{slide} +\begin{frame} \head{Key exchange \seq: proof sketch} \begin{itemize} @@ -324,20 +333,20 @@ (collision bound). \item In $\G2$, use extractor to answer challenges other than from matching session. - \item In $\G3$, stop game if adversary queries $H(\cookie{key}, r_A r_b P)$ + \item In $\G3$, stop game if adversary queries $H(\cookie{key}, u_A u P)$ (CDH in $G$). \item In $\G4$, stop game if session accepts response except from matching session. \begin{itemize} \item In $\G5$, focus on a single session (factor of $q_S$). - \item In $\G6$, encrypt $1^{|Y|}$ instead of $Y = x R$ (IND-CCA of $\E$). + \item In $\G6$, encrypt $1^{|Y|}$ instead of $Y = x U$ (IND-CCA of $\E$). \item In $\G7$, focus on a single party (factor of $n$). \item Now if party accepts, reduce from impersonating in $\Wident$. \end{itemize} \end{itemize} -\end{slide} +\end{frame} -\begin{slide} +\begin{frame} \head{Key exchange \seq: security result} \begin{spliteqn*} \InSec{sk}(\Wkx^{G, \E}; t, n, q_S, q_M, q_I, q_K) \le @@ -358,9 +367,9 @@ \item $t' = t + O(q_S) + O(q_M q_I) + O(q_K)$ \end{itemize} \end{multicols} -\end{slide} +\end{frame} -\begin{slide} +\begin{frame} \head{Key exchange \seq: fully deniable variant} \begin{protocol} @@ -368,24 +377,23 @@ (Private key $a$, public key $A = a P$) & \other (Private key $b$, public key $B = b P$) \\[\medskipamount] - \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\ - \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\ - \send{->}{\diff R_A} - \send{<-}{\diff R_B} - \send{<-}{(R_B, r_B \xor H(\cookie{check}, B, s, \hbox{\diff $R_A$}, R_B, Y_B))} - \send{->}{\other (R_A, r_A \xor H(\cookie{check}, A, s, \hbox{\diff $R_B$}, R_A, Y_A))} - $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\ - $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; & - $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\ - \send{->}{(R_A, E_{K_0}(Y_B))} - \send{<-}{\other (R_B, E_{K_0}(Y_A))} + \other $u_A \getsr \Nupto{q}$; & $u \getsr \Nupto{q}$; \\ + \other $U_A \gets u_A P$ & $U \gets u P$; \\ + \send{->}{\diff U_A} + \send{<-}{\diff U} + \send{<-}{(U, u \xor H(\cookie{check}, B, s, \hbox{\diff $U_A$}, U, Y_B))} + \send{->}{\other (U_A, u_A \xor H(\cookie{check}, A, s, \hbox{\diff $U$}, U_A, Y_A))} + $Y_B \gets a U$; & \other $Y_A \gets b U$; \\ + $(K_0, K_1) \gets H(\cookie{key}, u_A U)$; & + $(K_0, K_1) \gets H(\cookie{key}, u U_A)$; \\ + \send{->}{(U_A, E_{K_0}(Y_B))} + \send{<-}{\other (U, E_{K_0}(Y_A))} Key is $K_1$ & Key is $K_1$ \end{protocol} -\end{slide} - -\endinput +\end{frame} -%%% Local Variables: +%%% Local Variables: %%% mode: latex %%% TeX-master: "wrslides" -%%% End: +%%% TeX-PDF-mode: t +%%% End: diff --git a/wrestlers.tex b/wrestlers.tex index 44a8a5d..2807644 100644 --- a/wrestlers.tex +++ b/wrestlers.tex @@ -5,35 +5,36 @@ %%% (c) 2006 Mark Wooding %%% -\newif\iffancystyle\fancystylefalse -\newif\ifshort\shortfalse -\fancystyletrue -\InputIfFileExists{wr.cfg}\relax\relax +\ifx\iffancystyle\xxundefined\newif\iffancystyle\fancystyletrue\fi +\ifx\ifshort\xxundefined\newif\ifshort\shortfalse\fi + +\typeout{Options:} +\typeout{ Fancy style: \iffancystyle ON\else OFF\fi} +\typeout{ Short version: \ifshort ON\else OFF\fi} + \errorcontextlines=\maxdimen \showboxdepth=\maxdimen \showboxbreadth=\maxdimen \iffancystyle - \documentclass - [a4paper, article, 10pt, numbering, noherefloats, notitlepage, - runinsubsubsec] - {strayman} + \documentclass{strayman} + \parskip=0pt plus 1pt \parindent=1.2em \usepackage[T1]{fontenc} \usepackage[palatino, helvetica, courier, maths=cmr]{mdwfonts} \usepackage[within = subsection, mdwmargin]{mdwthm} \usepackage{mdwlist} \usepackage{sverb} - \if0\ifx\pdfoutput\xxundefined0\else\the\pdfoutput\fi + \ifpdfing\else \PassOptionsToPackage{dvips}{xy} \fi \else - \documentclass[a4paper]{llncs} - \usepackage{a4wide} + \PassOptionsToClass{runningheads}{llncs} + \documentclass{llncs} \fi \PassOptionsToPackage{show}{slowbox} %\PassOptionsToPackage{hide}{slowbox} -\usepackage{mdwtab, mathenv, mdwmath, crypto} +\usepackage{mdwtab, mdwmath, crypto} \usepackage{slowbox} \usepackage{amssymb, amstext} \usepackage{url, multicol} @@ -43,14 +44,20 @@ \usepackage[all]{xy} \turnradius{4pt} \fi +\usepackage{mathenv} +\newcommand{\Nupto}[1]{\{0, 1, \ldots, #1 - 1\}} \iffancystyle - \def\next{\title[The Wrestlers Protocol]} + \let\next\title \else - \def\next{\title} + \def\next[#1]{\titlerunning{#1}\title} \fi \next - {The Wrestlers Protocol \\ + [The Wrestlers Protocol] + {The Wrestlers Protocol% + \ifshort\thanks{This is an extended abstract; the full version + \cite{Wooding:2006:WP} is available from + \texttt{http://eprint.iacr.org/2006/386/}.}\fi \\ A simple, practical, secure, deniable protocol for key-exchange} \iffancystyle \author{Mark Wooding \\ \email{mdw@distorted.org.uk}} @@ -70,16 +77,11 @@ \numberwithin{equation}{subsection} \let\random\$ \else - \bibliographystyle{plain} + \bibliographystyle{splncs} \expandafter\let\csname claim*\endcsname\claim \expandafter\let\csname endclaim*\endcsname\endclaim \fi -\iffancystyle - \newcommand{\Nupto}[1]{\N_{<{#1}}} -\else - \newcommand{\Nupto}[1]{\{0, 1, \ldots, #1 - 1\}} -\fi \let\Bin\Sigma \let\emptystring\lambda \edef\Pr{\expandafter\noexpand\Pr\nolimits} @@ -98,6 +100,13 @@ \def\fixme#1{\marginpar{FIXME}[FIXME: #1]} \def\hex#1{\texttt{#1}_{x}} +\newenvironment{longproof}[1]{% + \ifshort#1\expandafter\ignore + \else\proof\fi +}{% + \ifshort\else\endproof\fi +} + \def\dbox#1{% \vtop{% \def\\{\unskip\egroup\hbox\bgroup\strut\ignorespaces}% @@ -129,6 +138,14 @@ \def\PRreveal{\textsf{Session-state reveal}\ar[r]} \def\protocolrun#1{\[\xymatrix @R=0pt @C=2em {#1}\]} +\def\protocol{% + \unskip\bigskip + \begin{tabular*}{\linewidth}% + {@{\qquad}l@{\extracolsep{0ptplus1fil}}r@{\qquad}}} +\def\endprotocol{\end{tabular*}} +\def\send#1#2{\noalign{% + \centerline{\xy\ar @{#1}|*+{\mathstrut#2}<.5\linewidth, 0pt>\endxy}}} + %% class-ids for proof of extractor lemma \let\Cid=\Lambda \let\Csession=S @@ -141,6 +158,10 @@ \def\HG#1{\mathbf{H}_{#1}} +\iffancystyle\else + \let\xsssec\subsubsection\def\subsubsection#1{\xsssec[#1]{#1.}} +\fi + \begin{document} %%%-------------------------------------------------------------------------- @@ -178,7 +199,6 @@ \section{Introduction} - This paper proposes protocols for \emph{identification} and \emph{authenticated key-exchange}. @@ -187,8 +207,10 @@ really talking to another party, say Alice. It assumes that Bob has some way of recognising Alice; for instance, he might know her public key. Our protocol requires only two messages -- a challenge and a response -- and has a number of useful properties. It is very similar to, though designed -independently of, a recent protocol by Stinson and Wu; we discuss their -protocol in section~\ref{sec:stinson-ident}. +independently of, a recent protocol by Stinson and Wu +\cite{Stinson:2006:EST}; we discuss their protocol and compare it to ours in +\ifshort the full version of this paper. \else +section~\ref{sec:stinson-ident}. \fi Identification protocols are typically less useful than they sound. As Shoup \cite{Shoup:1999:OFM} points out, it provides a `secure ping', by which Bob @@ -239,6 +261,7 @@ properties. a given protocol execution. \end{itemize} +\ifshort\else \subsection{Asymptotic and concrete security results} Most security definitions for identification (particularly zero-knowledge) @@ -270,10 +293,26 @@ Rather than attempting to say, formally, whether or not a protocol is `secure', we associate with each protocol an `insecurity function' which gives an upper bound on the advantage of any adversary attacking the protocol within given resource bounds. - +\fi \subsection{Formal models for key-exchange} +\ifshort + +The first model for studying the \emph{computational} security of +key-exchange protocols (rather than using protocol-analysis logics like that +of \cite{Burrows:1989:LA}) was given by Bellare and Rogaway +\cite{Bellare:1994:EAK}; the model has since been enhanced, both by the +original authors and others, in \cite{Bellare:1995:PSS,% +Blake-Wilson:1997:KAP,Blake-Wilson:1998:EAA}. The model defines security +in terms of a game: key-exchange protocols are secure if an adversary can't +distinguish the key agreed by a chosen `challenge session' from a key chosen +independently at random. Other models for key-exchange have been proposed in +\cite{Bellare:1998:MAD} and \cite{Shoup:1999:OFM}; these use a different +notion of security, involving implementation of an ideal functionality. + +\else + Many proposed key-exchange protocols have turned out to have subtle security flaws. The idea of using formal methods to analyse key-exchange protocols begins with the logic of Burrows, Abadi and Needham \cite{Burrows:1989:LA}. @@ -323,14 +362,17 @@ based on the idea of simulation. He analyses the previous models, particularly \cite{Bellare:1994:EAK} and \cite{Bellare:1998:MAD}, and highlights some of their inadequacies. +\fi + Canetti and Krawczyk \cite{Canetti:2001:AKE} describe a new notion of -security in the basic model of \cite{Bellare:1998:MAD}, based on the +security in the model of \cite{Bellare:1998:MAD}, based on the challenge-session notion of \cite{Bellare:1994:EAK}. The security notion, called `SK-security', seems weaker in various ways than those of earlier works such as \cite{Bellare:1994:EAK} or \cite{Shoup:1999:OFM}. However, the authors show that their notion suffices for constructing `secure channel' protocols, which they also define. +\ifshort\else In \cite{Canetti:2001:UCS}, Canetti describes the `universal composition' framework. Here, security notions are simulation-based: one defines security notions by presenting an `ideal functionality'. A protocol securely @@ -347,11 +389,13 @@ functionalities, and then `plug in' secure implementations of the ideal functionalities and appeal to the theorem to prove the security of the entire protocol. The UC framework gives rise to very strong notions of security, due to the interactive nature of the `environment' distinguisher. +\fi Canetti and Krawczyk \cite{Canetti:2002:UCN} show that the SK-security notion of \cite{Canetti:2001:AKE} is \emph{equivalent} to a `relaxed' notion of -key-exchange security in the UC framework, and suffices for the construction -of UC secure channels. +key-exchange security in the UC framework\ifshort\space of +\cite{Canetti:2001:UCS}\fi, and suffices for the construction of UC secure +channels. The result of \cite{Canetti:2002:UCN} gives us confidence that SK-security is the `right' notion of security for key-exchange protocols. Accordingly, @@ -371,26 +415,35 @@ The remaining sections of this paper are as follows. \item Section \ref{sec:kx} describes the simple version of our key-exchange protocol, and proves its security and deniability. It also describes some minor modifications which bring practical benefits without damaging - security. + security. \item Finally, section \ref{sec:conc} presents our conclusions. \end{itemize} +\ifshort +The full version of this paper describes how to make our protocols +identity-based by using bilinear pairings using the techniques introduced in +\cite{Boneh:2003:IBE}. It also contains proofs of the various theorems +stated here. +\fi + %%%-------------------------------------------------------------------------- \section{Preliminaries} \label{sec:prelim} -\subsection{Miscellaneous notation} +\ifshort +\subsection{Basics} +\let\prelimsec\subsubsection +\else +\let\prelimsec\subsection +\fi + +\prelimsec{Miscellaneous notation} We write $\Func{D}{R}$ for the set of all functions with domain $D$ and range $R$. -\iffancystyle -We write $\Nupto{n} = \{\, i \in \Z \mid 0 \le i < n \,\} = \{0, 1, \ldots, n -- 1\}$ for the set of nonnegative integers less than $n$. -\fi - -\subsection{Groups} +\prelimsec{Groups} Let $(G, +)$ be a cyclic group\footnote{ We find that additive group notation is easier to read. In particular, in @@ -399,10 +452,13 @@ Let $(G, +)$ be a cyclic group\footnote{ of prime order $q$, and generated by an element $P$. We shall write the identity of $G$ as $0_G$, or simply as $0$ when no ambiguity is likely to arise. Thus, we have $\langle P \rangle = G$ and $q P = 0$. Any $X \in G$ -can be written as $X = x P$ for some $x \in \Nupto{q}$. +can be written as $X = x P$ for some $x \in \{0, 1, \ldots, q - 1\}$. +We consider a cyclic group of order $n$ as a $\Z/n\Z$-module, and in +particular our group $G$ can be seen as a vector space over $\gf{q}$. This +makes the notation slightly more convenient. -\subsection{Bit strings and encodings} +\prelimsec{Bit strings and encodings} \label{sec:bitenc} Let $\Bin = \{0, 1\}$ be the set of binary digits. Then $\Bin^n$ is the set @@ -412,23 +468,30 @@ string $x \in \Bin^n$, and for $0 \le i < n$, we write $x[i]$ as the $i$th bit of $x$. The empty string is denoted $\emptystring$. Let $x$ and $y$ be two bit strings. If $|x| = |y| = n$, we write $x \xor y$ -to mean the bitwise exclusive-or of $x$ and $y$: if $z = x \xor y$ then $|z| -= n$, and $z[i] = (x[i] + y[i]) \bmod 2$ for $0 \le i < n$. We write $x \cat -y$ to mean the concatenation of $x$ and $y$: if $z = x \cat y$ then $|z| = -|x| + |y|$ and $z[i] = x[i]$ if $0 \le i < |x|$ and $z[i] = y[i - |x|]$ if -$|x| < i \le |x| + |y|$. +to mean the bitwise exclusive-or of $x$ and $y$\ifshort\else: if $z = x \xor +y$ then $|z| = n$, and $z[i] = (x[i] + y[i]) \bmod 2$ for $0 \le i < n$\fi. +We write $x \cat y$ to mean the concatenation of $x$ and $y$\ifshort\else: if +$z = x \cat y$ then $|z| = |x| + |y|$ and $z[i] = x[i]$ if $0 \le i < |x|$ +and $z[i] = y[i - |x|]$ if $|x| < i \le |x| + |y|$\fi. Finally, we let $\bot$ be a value distinct from any bit string. We shall want to encode group elements $X \in G$ and indices $x \in I = -\Nupto{|G|}$ as bit strings. To this end, we shall assume the existence of +\gf{q}$ as bit strings. +\ifshort +To this end, we shall assume the existence of efficient, unambiguous +encodings of group elements as $\ell_G$-bit strings, and indices as +$\ell_I$-bit strings. To reduce clutter, we shall leave encoding and +decoding as implicit operations. +\else +To this end, we shall assume the existence of integers $\ell_G, \ell_I > 0$ and functions \[ e_S\colon S \to \Bin^{\ell_S} \quad \textrm{and} \quad d_S\colon \Bin^{\ell_S} \to S \cup \{ \bot \} \qquad - \textrm{for } S \in \{ G, I \}. + \textrm{for } S \in \{ G, \F \}. \] with the following properties. \begin{itemize} @@ -449,9 +512,10 @@ the security of our protocols. We shall frequently abuse notation by omitting the encoding and decoding functions where it is obvious that they are required. +\fi - -\subsection{Games, adversaries, and oracles} +\ifshort\else +\prelimsec{Games, adversaries, and oracles} \label{sec:games} Many of the security definitions and results given here make use of @@ -469,7 +533,7 @@ The games provide models of someone trying to attack a construction or protocol. For security, we will either define a notion of `winning' the game, and require that all adversaries have only a very small probability of winning, or we consider two different games and require that no adversary can -distinguish between the two except with very small probability. +distinguish between the two except with very small probability. Our proofs make frequent use of sequences of games; see \cite{Shoup:2004:SGT,Bellare:2004:CBG}. The presentation owes much to Shoup @@ -488,25 +552,27 @@ The following simple lemma from \cite{Shoup:2001:OR} will be frequently useful. \begin{lemma}[Difference Lemma] \label{lem:shoup} - Let $S$, $T$, $F$ be events. Suppose $\Pr[S|\bar F] = \Pr[T|\bar F]$. - Then $|\Pr[S] - \Pr[T]| \le \Pr[F]$. + Let $S$, $T$, $F$ be events. Suppose $\Pr[S \mid \bar F] = + \Pr[T \mid \bar F]$. Then $|\Pr[S] - \Pr[T]| \le \Pr[F]$. \end{lemma} \begin{proof} A simple calculation: \begin{eqnarray*}[rl] |\Pr[S] - \Pr[T]| - & = |(\Pr[S|F]\Pr[F] + \Pr[S|\bar F]\Pr[\bar F]) - - (\Pr[T|F]\Pr[F] + \Pr[T|\bar F]\Pr[\bar F])| \\ - & = \Pr[F] \cdot |\Pr[S|F] - \Pr[T|F]| \\ + & = |(\Pr[S \mid F]\Pr[F] + \Pr[S \mid \bar F]\Pr[\bar F]) - + (\Pr[T \mid F]\Pr[F] + \Pr[T \mid \bar F]\Pr[\bar F])| \\ + & = \Pr[F] \cdot |\Pr[S \mid F] - \Pr[T \mid F]| \\ & \le \Pr[F] \end{eqnarray*} and we're done! \end{proof} +\fi -\subsection{The random oracle model} +\prelimsec{The random oracle model} \label{sec:ro} +\ifshort\else In particular, most of our results will make use of the \emph{random oracle} model \cite{Bellare:1993:ROP}, in which all the participants, including the adversary, have access to a number of `random oracles'. A random oracle with @@ -525,9 +591,10 @@ Proofs in the random oracle must be interpreted carefully. For example, Canetti, Goldreich and Halevi \cite{Canetti:2004:ROM} show that there are schemes which can be proven secure in the random oracle model but provably have no secure instantiation in the standard model. +\fi -The random oracle model is useful for constructing reductions and simulators -for two main reasons. +The random oracle model \ifshort\cite{Bellare:1993:ROP} \fi is useful for +constructing reductions and simulators for two main reasons. \begin{enumerate} \item One can use the transcript of an adversary's queries to random oracles in order to extract knowledge from it. @@ -545,14 +612,17 @@ that the only sensible way of working out (anything about) the hash of a particular string is to actually compute the hash function, and the random oracle model is, we hope, just giving us a `hook' into this process. +\ifshort\else (Our protocols can be modified to make use of bilinear pairings so as to provide identity-based identification and key-exchange, using the techniques of \cite{Boneh:2003:IBE}. Proving the security of the modifications we discuss would involve `programming' random oracles, but this doesn't affect the zero-knowledge or deniability of the resulting protocols.) +\fi -\subsection{Notation for algorithms} +\ifshort\else +\prelimsec{Notation for algorithms} We shall have occasion to describe algorithms by means of a pseudocode. Our choice of pseudocode is unlikely to be particularly controversial. We let $x @@ -575,9 +645,9 @@ explicitly, leaving the reader to determine these from context. Finally, the notation $\Pr[\textit{algorithm} : \textit{condition}]$ denotes the probability that \textit{condition} is true after running the given \textit{algorithm}. +\fi - -\subsection{Diffie-Hellman problems} +\prelimsec{Diffie-Hellman problems} \label{sec:dhp} The security of our protocols is related to the hardness of the @@ -586,12 +656,13 @@ We define these problems and what it means for them to be `hard' here. The \emph{computational} Diffie-Hellman problem (CDH) is as follows: given two group elements $X = x P$ and $Y = y P$, find $Z = x y P$. +\ifshort\else \begin{definition}[The computational Diffie-Hellman problem] Let $(G, +)$ be a cyclic group generated by $P$. For any adversary $A$, we say that $A$'s \emph{success probability} at solving the computational Diffie-Hellman problem in $G$ is \[ \Succ{cdh}{G}(A) = - \Pr[ x \getsr I; y \getsr \Nupto{|G|} : A(x P, y P) = x y P ] + \Pr[ x \getsr I; y \getsr \Z/\#G\Z : A(x P, y P) = x y P ] \] where the probability is taken over the random choices of $x$ and $y$ and any random decisions made by $A$. We say that the \emph{CDH insecurity @@ -604,7 +675,7 @@ given $x P$, find $x$), then one can solve the computational Diffie-Hellman problem. The converse is not clear, though. Shoup \cite{Shoup:1997:LBD} gives us some confidence in the difficulty of the problem by showing that a \emph{generic} adversary -- i.e., one which makes no use of the specific -structure of a group -- has success probability no greater than $q^2/|G|$. +structure of a group -- has success probability no greater than $q^2/\#G$. This isn't quite sufficient for our purposes. Our proofs will be able to come up with (possibly) a large number of guesses for the correct answer, and @@ -613,30 +684,18 @@ right seems, in general, to be difficult. This is the \emph{decision} Diffie-Hellman problem (DDH), which \cite{Shoup:1997:LBD} shows, in the generic group model, is about as hard as CDH. (See \cite{Boneh:1998:DDP} for a survey of the decision Diffie-Hellman problem.) - +\par\fi Our reference problem will be a `multiple-guess computational Diffie-Hellman problem' (MCDH), which is captured by a game as follows. An adversary is given a pair of group elements $(x P, y P)$, and an oracle $V(\cdot)$ which accepts group elements as input. The adversary wins the game if it queries $V(x y P)$. -\begin{definition}[The multiple-guess computational Diffie-Hellman problem] - \label{def:mcdh} - Let $(G, +)$ be a cyclic group generated by $P$. For some adversary $A$, - we say that $A$'s \emph{success probability} at solving the multiple-guess - computational Diffie-Hellman problem in $G$ is - \[ \Succ{mcdh}{G}(A) = \Pr[\Game{mcdh}{G}(A) = 1] \] - where $\Game{mcdh}{G}(A)$ is shown in figure~\ref{fig:mcdh}. We say that - the \emph{MCDH insecurity function of $G$} is - \[ \InSec{mcdh}(G; t, q_V) = \max_A \Succ{mcdh}{G}(A) \] - where the maximum is taken over adversaries which complete in time $t$ and - make at most $q_V$-oracle queries. -\end{definition} \begin{figure} \begin{program} $\Game{mcdh}{G}(A)$: \+ \\ $w \gets 0$; \\ - $x \getsr \Nupto{|G|}$; $y \getsr \Nupto{|G|}$; \\ + $x \getsr \Z/\#G\Z$; $y \getsr \Z/\#G\Z$; \\ $A^{V(\cdot)}(x P, y P)$; \\ \RETURN $w$; \next @@ -652,6 +711,23 @@ $V(x y P)$. \label{fig:mcdh} \end{figure} +\begin{definition}[The multiple-guess computational Diffie-Hellman problem] + \label{def:mcdh} + Let $(G, +)$ be a cyclic group generated by $P$. For some adversary $A$, + we say that $A$'s \emph{success probability} at solving the multiple-guess + computational Diffie-Hellman problem in $G$ is + \[ \Succ{mcdh}{G}(A) = \Pr[\Game{mcdh}{G}(A) = 1] \] + where $\Game{mcdh}{G}(A)$ is shown in figure~\ref{fig:mcdh}. We say that + the \emph{MCDH insecurity function of $G$} is + \[ \InSec{mcdh}(G; t, q_V) = \max_A \Succ{mcdh}{G}(A) \] + where the maximum is taken over adversaries which complete in time $t$ and + make at most $q_V$-oracle queries. +\end{definition} +\ifshort +We can (loosely) relate the difficulty of MCDH to the difficulty of +the standard CDH problem, in which the adversary is allowed only a single +guess. +\else Note that our MCDH problem is not quite the `gap Diffie-Hellman problem' (GDH). The gap problem measures the intractibility of solving CDH even with the assistance of an oracle for solving (restricted) decision Diffie-Hellman @@ -663,11 +739,16 @@ Clearly MCDH is at least as hard as GDH, since our simple verification oracle $V(Z)$ can be simulated with the gap problem's DDH oracle, as $D(Y, Z)$. However, we can (loosely) relate the difficulty of MCDH to the difficulty of CDH. +\fi \begin{proposition}[Comparison of MCDH and CDH security] For any cyclic group $(G, +)$, - \[ \InSec{mcdh}(G; t, q_V) \le q_V\,\InSec{cdh}(G; t + O(q_V)). \] + \[ \InSec{mcdh}(G; t, q_V) \le + \ifshort q_V\,\InSec{mcdh}(G; t + O(q_V), 1) \else + q_V\,\InSec{cdh}(G; t + O(q_V)) \fi. + \] \end{proposition} -\begin{proof} +\begin{longproof}{The proof of this proposition may be found in the full + version of this paper.} Let $A$ be an adversary attacking the multiple-guess computational Diffie-Hellman problem in $G$, and suppose that it runs in time $t$ and issues $q_V$ queries to its verification oracle. @@ -701,14 +782,13 @@ CDH. \RETURN $0$; \end{program} Observe that $B$ provides $A$ with an accurate simulation of game $\G1$. - Moreover, at the end of the algorithm, we have $0 < n \le q_V$, the - output of $A$ is stored in $Q_{n-1}$ and the values $Q_0$, $Q_1$, \dots, - $Q_{n-1}$ are the values of $A$'s oracle queries. Hence, with probability - $Pr[S_1]$, at least of one of the $Q_i$ is the correct answer to the CDH - problem. Let $\epsilon = \Pr[S_1] = \Pr[S_0]$; we claim that $B$'s - probability of success is at least $\epsilon/q_V$. The proposition - follows directly from this claim and that, because $A$ was chosen - arbitrarily, we can maximize and count resources. + Moreover, at the end of the algorithm, we have $0 < n \le q_V$, and the + values $Q_0$, $Q_1$, \dots, $Q_{n-1}$ are the values of $A$'s oracle + queries. Hence, with probability $Pr[S_1]$, at least of one of the $Q_i$ + is the correct answer to the CDH problem. Let $\epsilon = \Pr[S_1] = + \Pr[S_0]$; we claim that $B$'s probability of success is at least + $\epsilon/q_V$. The proposition follows directly from this claim and that, + because $A$ was chosen arbitrarily, we can maximize and count resources. We now prove the above claim. For $0 \le i < q_V$, let $W_i$ be the event that $Q_i = x y P$, i.e., that $Q_i$ is the correct response. A @@ -727,10 +807,10 @@ CDH. & = \frac{\epsilon}{q_V}. \end{eqnarray*} which completes the proof. -\end{proof} +\end{longproof} - -\subsection{Example groups and encodings} +\ifshort\else +\prelimsec{Example groups and encodings} For nonnegative integers $0 \le n < 2^\ell$, there is a natural binary encoding $N_\ell\colon \Nupto{2^\ell} \to \Bin^\ell$ which we can define @@ -754,23 +834,23 @@ using the functions $(e, d)$: The reader can verify that the functions $e(L, \ell, \cdot)$ and $d(L, \ell, \cdot)$ satisfy the requirements of section~\ref{sec:bitenc}. -Given some $q < 2^{\ell_I}$ and $I = \Nupto{q}$, then, we can define an -encoding $(e_I, d_I)$ by $e_I(n) = e(q, \ell_I, n)$ and $d_I(a) = d(q, -\ell_I, a)$. - -Let $p$ and $q$ be primes, with $q|(p - 1)$. Then there is an order-$q$ -subgroup of $(\Z/p\Z)^*$. In practice, an order-$q$ element can be found -easily by taking elements $h \in (\Z/p\Z)^*$ at random and computing $g = -h^{(p-1)/2}$ until $g \ne 1$; then $G = \langle g \rangle$ is a group of $q$ -elements. Assuming that $p$ and $q$ are sufficiently large, the -Diffie-Hellman problems seem to be difficult in $G$. Some texts recommend -additional restrictions on $p$, in particular that $(p - 1)/2q$ be either -prime or the product of large primes. Primes of this form protect against -small-subgroup attacks; but our protocols are naturally immune to these -attacks, so such precautions are unnecessary here. Elements of $G$ can be -encoded readily, since each element $n + p\Z$ of $\Z/p\Z$ has an obvious -`representative' integer $n$ such that $0 \le n < p$, and given $2^{\ell_G} > -p$, we can encode $n$ as $e(p, \ell_G, n)$, as above. +Given some $q$ with $q < 2^{\ell_I}$, then, we can define an encoding +$(e_\F, d_\F)$ by $e_\F(n) = e(q, \ell_I, n)$ and $d_\F(a) = d(q, \ell_I, +a)$. + +Let $p$ and $q$ be primes, with $q \mid (p - 1)$. Then there is an order-$q$ +subgroup of $\F_p^*$. In practice, an order-$q$ element can be found easily +by taking elements $h \in \F_p^*$ at random and computing $g = h^{(p-1)/2}$ +until $g \ne 1$; then $G = \langle g \rangle$ is a group of $q$ elements. +Assuming that $p$ and $q$ are sufficiently large, the Diffie-Hellman problems +seem to be difficult in $G$. Some texts recommend additional restrictions on +$p$, in particular that $(p - 1)/2q$ be either prime or the product of large +primes. Primes of this form protect against small-subgroup attacks; but our +protocols are naturally immune to these attacks, so such precautions are +unnecessary here. Elements of $G$ can be encoded readily, since each element +$n + p\Z$ of $\F_p = \Z/p\Z$ has an obvious `representative' integer $n$ such +that $0 \le n < p$, and given $2^{\ell_G} > p$, we can encode $n$ as $e(p, +\ell_G, n)$, as above. Alternatively, let $\F = \gf{p^f}$ be a finite field, and $E$ be an elliptic curve defined over $\F$ such that the group $E(\F)$ of $\F$-rational points @@ -783,9 +863,10 @@ $r(x)$ with degree less than $f$, and coefficients $c_i \in \{0, 1\}$, i.e., \[ r(x) = \sum_{0\le i: <0cm, 3cm>::} - *+[F]\dbox{$r_i \getsr I$; $R_i \gets r_i P$ \\ - $c_i \gets r_i \xor H_I(R_i, r_i X_j)$} ="i0" - [d] - *+[F]\dbox{Check $R_j = \bigl(c_j \xor H_I(x_i R_j)\bigr) P$ \\ - $Z \gets r_i R_j$; $K \gets H_K(0, Z)$ \\ - $\chi_i \gets E_K(x_i R_j)$} ="i1" - [d] - *+[F]\dbox{Check $D_K(\chi_j) = r_i X_j$ \\ - Shared key is $H_K(1, Z)$} ="i2" - "i0" [r] - *+[F]\dbox{$r_j \getsr I$; $R_j \gets r_j P$ \\ - $c_j \gets r_j \xor H_I(R_j, r_j X_i)$} ="j0" - [d] - *+[F]\dbox{Check $R_i = \bigl(c_i \xor H_I(x_j R_i)\bigr) P$ \\ - $Z \gets r_j R_i$; $K \gets H_K(0, Z)$ \\ - $\chi_j \gets E_K(x_j R_i)$} ="j1" - [d] - *+[F]\dbox{Check $D_K(\chi_i) = r_j X_i$ \\ - Shared key is $H_K(1, Z)$} ="j2" - % - "i0" : |(0)/3.25cm/*+{(R_i, c_i)} "j1" - "i1" : |(0)/3.25cm/*+{(R_i, \chi_i)} "j2" - "j0" : |(0)/3.25cm/*+{(R_j, c_j)} "i1" - "j1" : |(0)/3.25cm/*+{(R_j, \chi_j)} "i2" - \end{graph} \] + \begin{protocol} + $r_i \getsr I$; $R_i \gets r_i P$; & + $r_j \getsr I$; $R_j \gets r_j P$; \\ + $c_i \gets r_i \xor H_I(R_i, r_i X_j)$; & + $c_j \gets r_j \xor H_I(R_j, r_j X_i)$; \\ + \send{->}{(R_i, c_i)} + \send{<-}{(R_j, c_j)} + Check $R_j = \bigl(c_j \xor H_I(x_i R_j)\bigr) P$; & + Check $R_i = \bigl(c_i \xor H_I(x_j R_i)\bigr) P$; \\ + $Z \gets r_i R_j$; $(K_0, K_1) \gets H_K(Z)$; & + $Z \gets r_j R_i$; $(K_0, K_1) \gets H_K(Z)$; \\ + $\chi_i \gets E_{K_0}(x_i R_j)$; & + $\chi_j \gets E_{K_0}(x_j R_i)$; \\ + \send{->}{(R_i, \chi_i)} + \send{<-}{(R_j, \chi_j)} + Check $D_{K_0}(\chi_j) = r_i X_j$; & + Check $D_{K_0}(\chi_i) = r_j X_i$; \\ + Shared key is $K_1$. & Shared key is $K_1$. + \end{protocol} \caption{Summary of the Wrestlers Key Exchange protocol, $\Wkx$} \label{fig:wkx} @@ -1983,7 +2104,7 @@ Then: responds to Alice's message; \item $b R' = b R = b (r P) = r (b P) = r B$, and $a S' = a S = a (s P) = s (a P) = s A$, and therefore both parties compute their responses correctly; - and + and \item $r S' = r S = r (s P) = s (r P) = s R = s R'$, so $K_A = K_B$, and therefore they can decrypt each others' responses, and agree the same shared secret. @@ -2019,6 +2140,13 @@ Our model is very similar to that of Canetti and Krawczyk SK-security game. \end{enumerate} +\ifshort + +Readers interested in the details of the model should see Canetti and +Krawczyk's paper \cite{Canetti:2001:AKE}, or the full version of this paper. + +\else + \subsubsection{Overview} We briefly describe our modified model, pointing out the changes we have made, and how they apply to our protocol. Much of Canetti and Krawczyk's @@ -2044,13 +2172,13 @@ $n$ components, and party $P_i$ is given $(i_U, \mathbf{i}[i])$ as input. \subsubsection{Sessions} Parties don't act directly. Instead, each party runs a number of -\emph{sessions}. A session a triple $S = (P_i, P_j, s)$, where $i, j \in -\Nupto{n}$ identify the owning party and a \emph{partner}, and $s \in -\Bin^{\ell_S}$ is a \emph{session-id}. (The original model includes a -r\^ole, for distinguishing between initiators and responders. Our protocol -is symmetrical, so this distinction isn't useful.) If $P_i$ runs a session -$S = (P_i, P_j, s)$ and $P_j$ runs a session $S' = (P_j, P_i, s)$ then we say -that $S$ and $S'$ are \emph{matching}, and that $P_j$ is $P_i$'s +\emph{sessions}. A session is represented by a triple $S = (P_i, P_j, s)$, +where $i, j \in \Nupto{n}$ identify the owning party and a \emph{partner}, +and $s \in \Bin^{\ell_S}$ is a \emph{session-id}. (The original model +includes a r\^ole, for distinguishing between initiators and responders. Our +protocol is symmetrical, so this distinction isn't useful.) If $P_i$ runs a +session $S = (P_i, P_j, s)$ and $P_j$ runs a session $S' = (P_j, P_i, s)$ +then we say that $S$ and $S'$ are \emph{matching}, and that $P_j$ is $P_i$'s \emph{partner} for the session. At most one participant in the game is \emph{active} at any given time. @@ -2144,11 +2272,13 @@ it. The adversary \emph{wins} the game if either \item the adversary correctly guesses the hidden bit~$b^*$. \end{enumerate} More formally, we make the following definition. +\fi \begin{definition}[SK-security] \label{def:sk} Let $\Pi^{H_0(\cdot), H_1(\cdot), \ldots}$ be a key-exchange protocol which makes use of random oracles $H_0(\cdot)$, $H_1(\cdot)$, \dots, and - let $A$ be an adversary playing the game described previously, where $n$ + let $A$ be an adversary playing the game described \ifshort in + \cite{Canetti:2001:AKE}\else previously\fi, where $n$ parties run the protocol~$\Pi$. Let $V$ be the event that any pair of matching, unexposed sessions completed, but output different session keys. Let $W$ be the event that the adversary's output bit matches the game's @@ -2170,7 +2300,7 @@ More formally, we make the following definition. \subsection{Security} In order to analyse our protocol $\Wkx^{G, \E}$ properly, we must describe -exactly how it fits into the formal model described in our formal model. +exactly how it fits into our formal model. \subsubsection{Sessions and session-ids} Our formal model introduced the concept of sessions, which the informal @@ -2232,7 +2362,7 @@ sake of robustness.\footnote{% \begin{program} Function $\id{init}(n)$: \+ \\ \FOR $i \in \Nupto{n}$ \DO \\ \ind - $x \getsr \Nupto{|G|}$; \\ + $x \getsr \gf{q}$; \\ $\mathbf{i}[i] \gets x$; \\ $\mathbf{p}[i] \gets x P$; \- \\ \RETURN $(\mathbf{p}, \mathbf{i})$; @@ -2242,7 +2372,7 @@ sake of robustness.\footnote{% $X \gets \mathbf{p}[i]$; $X' \gets \mathbf{p}[j]$; $C \gets \emptyset$; \\ - $r \getsr \Nupto{|G|}$; + $r \getsr \gf{q}$; $R \gets r P$; $Y \gets r X'$; \\ $h \gets H_I(X, s, R, Y)$; @@ -2276,7 +2406,7 @@ sake of robustness.\footnote{% \OUTPUT $K_1$; \STOP; \end{program} - + \caption{Formalization of $\Wkx$} \label{fig:wkx-formal} \end{figure} @@ -2308,7 +2438,8 @@ We conclude that the only `interesting' session state is $r$. \subsubsection{Security} Having formally presented the protocol, we can now state our main theorem -about its security. The proof is given in appendix~\ref{sec:sk-proof}. +about its security. The proof is given in \ifshort the full version of the +paper\else appendix~\ref{sec:sk-proof}\fi. \begin{theorem}[SK-security of $\Wkx$] \label{thm:sk} Let $G$ be a cyclic group. Let $\E = (\kappa, E, D)$ be a symmetric @@ -2318,13 +2449,14 @@ about its security. The proof is given in appendix~\ref{sec:sk-proof}. 2 q_S \bigl( \InSec{ind-cca}(\E; t', q_M, q_M) + {} \\ \InSec{mcdh}(G; t', q_K) + n \,\InSec{mcdh}(G; t', q_M + q_I) \bigr) + - \frac{n (n - 1)}{|G|} + + \frac{n (n - 1)}{q} + \frac{2 q_M}{2^{\ell_I}}. \end{spliteqn*} where $t' = t + O(n) + O(q_S) + O(q_M q_I) + O(q_K)$. \end{theorem} +\ifshort\else \subsection{Insecure protocol variants} \label{sec:kx-insecure} @@ -2422,7 +2554,7 @@ set up. Although each of Alice and Bob have two sessions with session-id~$s$, this is allowed, since they are with different partners. The rest of the attack in fact proceeds identically to the previous case. - +\fi \subsection{Deniability} \label{sec:denial} @@ -2518,7 +2650,7 @@ nature of the Wrestlers identification protocol. However, Bob can work with the judge to bring him the evidence necessary to convict Alice. Here's how. Alice's public key is $A$, and Bob's public key is $B$. The judge chooses -some session-id $s$, and $r \inr \Nupto{q}$. He computes $R = r P$ and $c = +some session-id $s$, and $r \inr \gf{q}$. He computes $R = r P$ and $c = r \xor H_I(B, s, R, r A)$, and gives Bob the triple $(s, R, c)$, keeping $r$ secret. Bob can now persuade Alice to enter into a key-exchange with him, with session-id $s$. He uses $(R, c)$ as his challenge message. When Alice @@ -2553,45 +2685,36 @@ formal description is shown in figure~\ref{fig:wdkx-formal}. \begin{figure} \begin{description} - \item[Setup] Group $G = \langle P \rangle$; $|G| = q$ is prime. + \item[Setup] Group $G = \langle P \rangle$; $\#G = q$ is prime. $H_I(\cdot, \cdot, \cdot, \cdot, \cdot)$ and $H_K(cdot)$ are secure hashes. $\E = (\kappa, E, D)$ is an IND-CCA2 symmetric encryption scheme. \item[Parties] $U_i$ for $0 \le i < n$. - \item[Private keys] $x_i \inr \Nupto{q}$. + \item[Private keys] $x_i \inr \gf{q}$. \item[Public keys] $X_i = x_i P$. \end{description} - \[ \begin{graph} - !{0; <8cm, 0cm>: <0cm, 3cm>::} - *+[F]\dbox{$r_i \getsr I$; $R_i \gets r_i P$} ="i-1" - [d] - *+[F]\dbox{$c_i \gets r_i \xor H_I(R_j, X_i, s, R_i, r_i X_j)$} ="i0" - [d] - *+[F]\dbox{Check $R_j = \bigl(c_j \xor H_I(x_i R_j)\bigr) P$ \\ - $Z \gets r_i R_j$; $K \gets H_K(0, Z)$ \\ - $\chi_i \gets E_K(x_i R_j)$} ="i1" - [d] - *+[F]\dbox{Check $D_K(\chi_j) = r_i X_j$ \\ - Shared key is $H_K(1, Z)$} ="i2" - "i-1" [r] - *+[F]\dbox{$r_j \getsr I$; $R_j \gets r_j P$} ="j-1" - [d] - *+[F]\dbox{$c_j \gets r_j \xor H_I(R_i, X_j, s, R_j, r_j X_i)$} ="j0" - [d] - *+[F]\dbox{Check $R_i = \bigl(c_i \xor H_I(x_j R_i)\bigr) P$ \\ - $Z \gets r_j R_i$; $K \gets H_K(0, Z)$ \\ - $\chi_j \gets E_K(x_j R_i)$} ="j1" - [d] - *+[F]\dbox{Check $D_K(\chi_i) = r_j X_i$ \\ - Shared key is $H_K(1, Z)$} ="j2" - % - "i-1" : |(0)/3.25cm/*+{R_i} "j0" - "i0" : |(0)/3.25cm/*+{(R_i, c_i)} "j1" - "i1" : |(0)/3.25cm/*+{(R_i, \chi_i)} "j2" - "j-1" : |(0)/3.25cm/*+{R_j} "i0" - "j0" : |(0)/3.25cm/*+{(R_j, c_j)} "i1" - "j1" : |(0)/3.25cm/*+{(R_j, \chi_j)} "i2" - \end{graph} \] + + \begin{protocol} + $r_i \getsr I$; $R_i \gets r_i P$; & + $r_j \getsr I$; $R_j \gets r_j P$; \\ + \send{->}{R_i} + \send{<-}{R_j} + $c_i \gets r_i \xor H_I(R_j, X_i, s, R_i, r_i X_j)$; & + $c_j \gets r_j \xor H_I(R_i, X_j, s, R_j, r_j X_i)$; \\ + \send{->}{(R_i, c_i)} + \send{<-}{(R_j, c_j)} + Check $R_j = \bigl(c_j \xor H_I(x_i R_j)\bigr) P$; & + Check $R_i = \bigl(c_i \xor H_I(x_j R_i)\bigr) P$; \\ + $Z \gets r_i R_j$; $(K_0, K_1) \gets H_K(Z)$; & + $Z \gets r_j R_i$; $(K_0, K_1) \gets H_K(Z)$; \\ + $\chi_i \gets E_{K_0}(x_i R_j)$; & + $\chi_j \gets E_{K_0}(x_j R_i)$; \\ + \send{->}{(R_i, \chi_i)} + \send{<-}{(R_j, \chi_j)} + Check $D_{K_0}(\chi_j) = r_i X_j$; & + Check $D_{K_0}(\chi_i) = r_j X_i$; \\ + Shared key is $K_1$. & Shared key is $K_1$. + \end{protocol} \caption{Summary of the Deniable Wrestlers Key Exchange protocol, $\Wdkx$} \label{fig:wdkx} @@ -2601,7 +2724,7 @@ formal description is shown in figure~\ref{fig:wdkx-formal}. \begin{program} Function $\id{init}(n)$: \+ \\ \FOR $i \in \Nupto{n}$ \DO \\ \ind - $x \getsr \Nupto{|G|}$; \\ + $x \getsr \gf{q}$; \\ $\mathbf{i}[i] \gets x$; \\ $\mathbf{p}[i] \gets x P$; \- \\ \RETURN $(\mathbf{p}, \mathbf{i})$; @@ -2611,7 +2734,7 @@ formal description is shown in figure~\ref{fig:wdkx-formal}. $X \gets \mathbf{p}[i]$; $X' \gets \mathbf{p}[j]$; $C \gets \emptyset$; \\ - $r \getsr \Nupto{|G|}$; + $r \getsr \gf{q}$; $R \gets r P$; $Y \gets r X'$; \\ \SEND $(\cookie{pre-challange}, R)$; @@ -2652,13 +2775,14 @@ formal description is shown in figure~\ref{fig:wdkx-formal}. \OUTPUT $K_1$; \STOP; \end{program} - + \caption{Deniable key-exchange: formalization of $\Wdkx$} \label{fig:wdkx-formal} \end{figure} The security of this variant is given by the following theorem, whose proof -is in appendix~\ref{sec:sk2-proof}. +is \ifshort given in the full version of this paper\else in +appendix~\ref{sec:sk2-proof}\fi. \begin{theorem}[SK-security of $\Wdkx$] \label{thm:sk2} Let $G$ be a cyclic group. Let $\E = (\kappa, E, D)$ be a symmetric @@ -2687,14 +2811,17 @@ deniability of our protocols. \frac{q_M}{2^{\ell_I}} \] and - \[ \InSec{sim}(W_{\Wdkx^{G, \E}}, I_{\Wdkx^{G, \E}}, S_{\Wdkx^{G, \E}}; - t_D, t_A, \mathcal{Q}_D, \mathcal{Q}_A, (q_S, q_M), n_C) \le - \frac{n_C q_S}{|G|} + + \iffancystyle\[\else\begin{spliteqn*}\fi + \InSec{sim}(W_{\Wdkx^{G, \E}}, I_{\Wdkx^{G, \E}}, S_{\Wdkx^{G, \E}}; + t_D, t_A, \mathcal{Q}_D, \mathcal{Q}_A, (q_S, q_M), n_C) \le + \iffancystyle\else\\\fi + \frac{n_C q_S}{\#G} + \frac{q_M}{2^{\ell_I}}. - \] + \iffancystyle\]\else\end{spliteqn*}\fi The running time of the simulators is $O(t_A) + O(\mathcal{Q}_A q_M)$. \end{theorem} -\begin{proof} +\begin{longproof}{The proof of this theorem can be found in the full version + of this paper.} The simulators $S_\Wkx$ and $S_\Wdkx$ are very similar. We describe both here. Both are fake-world simulators, working as follows. \begin{enumerate} @@ -2702,7 +2829,7 @@ deniability of our protocols. giving each the public key $X_i$ from the common input. \item Suppose the adversary requests creation of a new session $S = (P_i, P_j, s)$. Then the simulator creates a new session, including a random - value $r_S \inr \Nupto{|G|}$, and computes $R_S = r_S P$, and $Y_S = r_S + value $r_S \inr \gf{q}$, and computes $R_S = r_S P$, and $Y_S = r_S X_j$. For $\Wdkx$, it sends the message $(\cookie{pre-challenge}, R_S)$; for $\Wkx$, it additionally computes $h = H_I(X_i, s, R_S, Y_S)$ and sends $(\cookie{challenge}, R_S, r_S \xor h)$. @@ -2754,17 +2881,17 @@ deniability of our protocols. adversary's auxiliary input. In this case the simulator must fail. But $R_S = r_S P$, and $r_S$ was chosen uniformly at random. If there are at most $n_C$ challenge sets in the auxiliary input then this happens with - probability at most $n_C/|G|$ for any given session. + probability at most $n_C/\#G$ for any given session. \end{itemize} We conclude that the simulator fails with probability - \[ \frac{q_M}{2^{\ell_I}} + \frac{q_S n_C}{|G|}. \] + \[ \frac{q_M}{2^{\ell_I}} + \frac{q_S n_C}{\#G}. \] (Note that we only consider $n_C = 0$ for $\Wkx$.) No adversary can distinguish the simulator from a real interaction unless the simulator fails, and the simulator is a fake-world simulator. We therefore apply proposition~\ref{prop:fakesim}; the theorem follows. -\end{proof} - +\end{longproof} +\ifshort\else \subsection{Practical issues} \label{sec:practice} @@ -2921,6 +3048,7 @@ protocol-interference attack: an adversary can replay key-exchange ciphertexts to insert the corresponding plaintexts into the channel. We offer a sketch proof of this claim in appendix~\ref{sec:sc-proof}. +\fi %%%-------------------------------------------------------------------------- @@ -2946,6 +3074,7 @@ Clive Jones and I worked out the initial design. %%%-------------------------------------------------------------------------- +\ifshort\def\next{\end{document}}\expandafter\next\fi \appendix \section{Proofs} @@ -3000,11 +3129,11 @@ X_j$ where $0 \le i < j < n$), we stop the game immediately and without crediting the adversary with a win. This only happens when the corresponding private keys are equal, i.e., $x_i = x_j$, and since the initialization function chooses private keys uniformly at random, this happens with -probability at most $\binom{n}{2}/|G|$. Since if this doesn't happen, the +probability at most $\binom{n}{2}/\#G$. Since if this doesn't happen, the game is identical to $\G0$, we can apply lemma~\ref{lem:shoup}, and see that \begin{equation} \label{eq:sk-g0-g1} - \diff{0}{1} \le \frac{1}{|G|} \binom{n}{2} = \frac{n (n - 1)}{2 |G|}. + \diff{0}{1} \le \frac{1}{\#G} \binom{n}{2} = \frac{n (n - 1)}{2 \#G}. \end{equation} In game~$\G1$ and onwards, we can assume that public keys for distinct parties are themselves distinct. Note that the game now takes at most @@ -3102,14 +3231,15 @@ We conclude that, for any adversary $A$, \Pr[V_4] = 0 \qquad \text{and} \qquad \Pr[W_4] = \frac{1}{2}. \end{equation} Putting equations~\ref{eq:sk-g0-g1}--\ref{eq:sk-g4} together, we find +\begingroup \splitright=4em minus 4em \begin{spliteqn} \Adv{sk}{\Wident^{G, \E}}(A) \le 2 q_S \bigl(\InSec{ind-cca}(\E; t', q_M, q_M) + {} \\ \InSec{mcdh}(G; t', q_K) + n \,\InSec{mcdh}(G; t', q_M + q_I) \bigr) + {} - \frac{n (n - 1)}{|G|} + + \frac{n (n - 1)}{\#G} + \frac{2 q_M}{2^{\ell_I}}. -\end{spliteqn} +\end{spliteqn} \endgroup The theorem follows, since $A$ was chosen arbitrarily. @@ -3197,7 +3327,7 @@ The theorem follows, since $A$ was chosen arbitrarily. = \frac{1}{2^{\ell_I}} \sum_\Cid \Ccount(\Cid) \le \frac{q_M}{2^{\ell_I}} \] - as required. + as required. Now observe that, in $\G2$, sessions don't actually check incoming challenges in this way any more -- instead we run the extractor. So, to @@ -3374,7 +3504,7 @@ The theorem follows, since $A$ was chosen arbitrarily. choose a random $m \in \Nupto{n}$, and when the adversary creates the session $S = S_k = (P_i, P_j, s)$, we abort the game unless $j = m$. Clearly we have $\Pr[F_6] = n \Pr[F_7]$. - + Finally, we can explicitly bound $F_6$. In $\G6$, the adversary's view is independent of the correct response $Y_S = r_S X_S = x_j R_S$ to $S$'s challenge. Therefore, if $A$ manages to send any message $\mu \notin M_T$ @@ -3427,7 +3557,7 @@ The theorem follows, since $A$ was chosen arbitrarily. The proof is almost identical to the proof of theorem~\ref{thm:sk}, in appendix~\ref{sec:sk-proof}. Unfortunately a black-box reduction doesn't -seem possible. +seem possible. We use the games and notation of section~\ref{sec:sk-proof}. @@ -3517,7 +3647,7 @@ that \end{equation} Finally, we can bound the adversary's advantage at guessing the hidden bit $b^*$. We isolate (we hope) the challenge session $S$ by choosing a target -session at random, as before. Let $K_* = H_K(Z_S)$ be the key agreed by the +session at random, as before. Let $K^* = H_K(Z_S)$ be the key agreed by the session (if it becomes ripe). We define an adversary $B$ against the IND-CCA security of $\E$. The adversary $B$ simulates the game. If the adversary exposes the target session, or doesn't choose it as the challenge session, @@ -3541,7 +3671,7 @@ the advantage of our IND-CCA distinguisher. Then \end{document} -%%% Local Variables: +%%% Local Variables: %%% mode: latex %%% TeX-master: t -%%% End: +%%% End: diff --git a/wrslides.tex b/wrslides.tex index ae50308..487d113 100644 --- a/wrslides.tex +++ b/wrslides.tex @@ -1,29 +1,62 @@ -\documentclass{wrslides} +\documentclass[t]{beamer} +\usetheme{Madrid} +\usefonttheme[stillsansseriflarge, stillsansserifsmall]{serif} +\usepackage[T1]{fontenc} +\usepackage[utf8]{inputenc} +\usepackage[palatino, helvetica, courier, maths = palatino]{mdwfonts} +\usepackage{tikz} +\usepackage{crypto, mdwmath} + +\newcommand{\E}{{\mathcal{E}}} + +\errorcontextlines=999 + +\def\Wident{\Xid{W}{ident}} +\def\Wkx{\Xid{W}{kx}} +\def\Nupto#1{\{0, 1, \ldots, #1 - 1\}} +\def\Bin{\{0, 1\}} +\let\op\star +\let\le\leqslant +\let\ge\geqslant +\let\epsilon\varepsilon + +\title{The Wrestlers Protocol} +\subtitle{A simple, practical, secure, deniable protocol for key-exchange} +\author{Mark Wooding} + +\newdimen\boxwd +\newenvironment{protocol}[2]{% + \small + \begin{tikzpicture}[x = 1cm, y = -\baselineskip] + \tikzstyle{thoughts} = [text width = #1cm - 4mm, anchor = north] + \tikzstyle{alice} = [xshift = 12cm - #1cm/2] + \tikzstyle{bob} = [xshift = #1cm/2] + \tikzstyle{other} = [text = blue] + \tikzstyle{message} = + [xshift = #1cm + 2mm, x = 11.6cm - #1cm*2, draw, font = \footnotesize] + \draw [rounded corners, fill = blue!20] + (0, 0) rectangle +(#1, #2); + \draw [rounded corners, fill = red!20] + (12cm - #1cm, 0) rectangle +(#1, #2); + \path node [alice] at (0, 1) {\normalsize Alice} + node [bob] at (0, 1) {\normalsize Bob} + ; +}{% + \end{tikzpicture} +} \begin{document} -\begin{slide} - \emptyslide - \hrule height0pt - \vfill - \centerline{\Huge\sffamily\bfseries The Wrestlers Protocol} - \medskip - \centerline{\itshape A simple, practical, secure, deniable protocol for - key-exchange} - \vskip 1in - \tabskip=0ptplus1fil - \halign to \linewidth{\tabskip=0pt\hfil\ignorespaces#\unskip\cr - Mark Wooding\cr - \texttt{mdw@distorted.org.uk}\cr} - \bigskip -\end{slide} - -\include{wr-backg} +\frame{\titlepage} +\frame{\tableofcontents} + +%%%\include{wr-backg} \include{wr-main} \end{document} -%%% Local Variables: +%%% Local Variables: %%% mode: latex %%% TeX-master: t -%%% End: +%%% TeX-PDF-mode: t +%%% End: