230 likes | 382 Views
Practical Covert Authentication. Stanislaw Jarecki University of California at Irvine Public Key Cryptography 2014. Presentation Plan. Introduction to Covert Computation Practical Covert Authentication Protocol O(1) rounds, group elements, exponentiations…
E N D
Practical Covert Authentication Stanislaw Jarecki University of California at Irvine Public Key Cryptography 2014
Presentation Plan • Introduction to Covert Computation • Practical Covert Authentication Protocol O(1) rounds, group elements, exponentiations… • Main Tool: Compiler for Covert Conditional OT’s ZKPK+ (Σ-protocol) for language L Covert Conditional OT for L • Extensions / Open Problems
Background: Secure Computation Secure Computation hides all except for what’s revealed by output x y ~ ~ A A B F F(x,y) ≈ A B(y) π for F (eff.) adversary A (eff.) simulatorà s.t. inputs y A’s interaction with à F(y) ≈ A π(y)
Background: Secure Computation Secure computation hides everything it can about B’s input… But not the fact that B engages in computation of F, which is an information in itself! x y π for F A B F(x,y) • Voting protocol attempt reveals a potential voter • Petition signing attempt reveals a potential signer • … • Authentication attempt reveals a member of some organization which uses the authentication protocol, no matter how credential/policy/attribute-hiding that protocol is!
Covert Computation Can we hide the fact that computation is taking place? Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F π for F A B/? Q: How can we hide that B follows protocol π? A: Make π’s messages indistinguishable from $ bits
Covert Computation Can we hide the fact that computation is taking place? Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F π for F A B/$ Q: How can we hide that B follows protocol π? A: Make π’s messages indistinguishable from $ bits Q: How can we hide that B follows some protocol ? A: Run π over a steganographic channel (= always sends $ bits) • Network control messages, padding, timing • Pictures, music, voice, … • Encryption (e.g. VPN router), other crypto (e.g. “kleptography”)
Covert Computation Can we hide the fact that computation is taking place? Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F x y/? π for F A B/$ F(x,y) Q: But doesn’t A’s output z=F(x,y) reveal that B inputs some y? A: Yes, but F outputs can look $ for many (x,y)’s • Authenticated Key Exchange • Any authenticated computation…
Covert Computation Covert π = as “random” as the ideal F [vAHL05] (refined in [CGOS07]) x yD ~ ~ A A B B(y) π/$ F/$ yD Distinguishability of F from $ beacon in the ideal world: CovDistF,D,Ã = |Pr[1ÃF(y)|yD] - Pr[1Ã$(F)] | Distinguishability of π from $ beacon in the real world: CovDistπ,D,A = |Pr[1Aπ(y)|yD] - Pr[1A$(π)] | π covert if A Ã s.t. (1) [standard secure computation requirements] (2) dist. D CovDistF,D,Ã ≈ CovDistπ,D,A
Covert Computation What is currently known? x yD ~ ~ A A B B(y) π/$ F/$ yD [vAHL05]: Defined covert 2PC, O(sec.par.)-round protocol for any F [CGOS07]: Defined covert MPC, O(sec.par.)-round protocol for any F [GJ10]: Ω(sec.par.) rounds necessary for covert 2/MPC in plain model • Can 2PC/MPC be covert in O(1) rounds in CRS model? Probably (see the last slide) • How about a covert authentication (not necessarily a covert 2PC)? This work: 5 rounds (3 in ROM), ≈30 RSA exp.’s/party
Covert AuthenticationDefinition KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme] (PK,CertB) (PK,CertA) B A FAuth If Ver(PK,CertA) and Ver(PK,CertB) then KA= KB ($) o/w KAKB ( $ $) KB & KB KA [ + handling of CRL’s ] If A has no valid (& unrevoked) cert then FAuth ≈ $[FAuth] Covertness w/o valid (& unrevoked) cert πAuth ≈ $[πAuth] Our work: Game-based definition, no extraction of PK (public input)
Covert AuthenticationProtocol Idea: (1) Use a “typical” Group Signature Sch. KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme] B (PK,CertB) A (PK,CertA) CA = COM(CertA) ZKP[ (PK,CA) LComCert] LComCert = { x=(PK,C) s.t. w=(cert,dec) s.t. Ver(PK,cert)=1 and Decommit(C,cert,dec)=1 } CB = COM(CertB) ZKP[ (PK,CB) LComCert] • Revocation e.g. by ZKP that certificate in C is not on the CRL • Our work uses “verifier-local” revocation (w/o ZKP) [BS’04]
Covert AuthenticationProtocol Idea: (1) Use a “typical” Group Signature Sch. KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme] B (PK,CertB) A (PK,CertA) CA = COM(CertA) ZKP[ (PK,CA) LComCert] ZKP (for non-trivial L) makes a protocol inherently non-covert ! statement x witness w FZKP for L If w witness for x in L then b 1, o/w b 0 P V = (cert,dec) = (PK,C) b
Covert AuthenticationProtocol Idea: (2) Replace ZKP by Covert COT for LGrSig KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme] B (PK,CertB) A (PK,CertA) CA = COM(CertA) COT[ (PK,CA) LComCert] Covert Conditional Oblivious Transfer (COT) for L (KEM version) statement x witness w FCOT for L If w witness for x in L then KR=KS, o/w KR KS R S = (cert,dec) = (PK,C) KS & KS KR Covertness: (1) In R’s view πCOT ≈ $[πCOT] if R has no valid w for S’s x (2) In S’s view πCOT ≈ $[πCOT] for all x Strong-soundness: Efficient extraction of w from covertness-breaking R
Covert AuthenticationProtocol Idea: (2) Replace ZKP by Covert COT for LGrSig KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme] B (PK,CertB) A (PK,CertA) CA = COM(CertA) COT[ (PK,CA) LComCert] Covert Conditional Oblivious Transfer (COT) for L (KEM version) statement x witness w FCOT for L If w witness for x in L then KR=KS, o/w KR KS R S = (cert,dec) = (PK,C) KS & KS KR Encryption Conditional OT (COT) Strongly-Sound COT Signature ZK Proof ZK Proof of Knowledge
Covert AuthenticationFull Protocol KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme] B (PK,CertB) A (PK,CertA) CA = COM(CertA) COT[ (PK,CA) LComCert] KBS KAR & KBS CB= COM(CertB) COT[ (PK,CB) LComCert] KBR KAS KA= KAR KAS KB = KBS KBR Covertness (assume A has no valid Cert): • A’s view of first COT together with KBS is ≈ $[πCOTS] • A’s view of CB and of second COT is ≈ $[πCOTR] A’s view of the whole interactiontogether with KBis ≈ $
Covert AuthenticationFull Protocol KeyGen PK + (CertA,CertB,CertC,…) [unforgeable cert. scheme] B (PK,CertB) A (PK,CertA) CA = COM(CertA) COT[ (PK,CA) LComCert] KBS KAR • COT needs to assure extraction of witness w from covertness-breaking Receiver • If Adv who breaks covertness of Authentication Protocol • then Reduction extracts a valid certificate (forgery) CB= COM(CertB) COT[ (PK,CB) LComCert] KBR KAS Covertness (assume A has no valid Cert): • A’s view of first COT together with KBS is ≈ $[πCOTS] • A’s view of CB and of second COT is ≈ $[πCOTR] A’s view of the whole interactiontogether with KBis ≈ $
Constructing Covert COT for LComCert statement x witness w R S FCOT for L If w witness for x in L then KR=KS, o/w KR KS KR & KS KS Assume L = {x=([gij]) s.t. exits w=[wj] s.t. g1 = (g11)w1 (g12)w2 … (g1n)wn gm= (gm1)w1 (gm2)w2 … (g1n)wn} [ + additive and multiplicative relations between aj’s ] Smooth Projective Hash Function (SPHF) Covert COT but no extraction of witness w from covertness-breaking R
Compiler from ZKPK+for LComCert to Covert COT statement x witness w R S FCOT for L If w witness for x in L then KR=KS, o/w KS KR KR KS L = { xs.t. w s.t.x = gw} (HV)ZKPK for L covert COT for L SIM for this ZKPK+: z $ , e $ a = F(x,e,z) = gz / xe a = gr C=COM( ) e $ z = r + ew SPHF[ C=COM(F(x,e,z)) ] If COM = ElGamal PKE then SPHF for DDH tuple [CS’98] (+ 2/3 exp’s / party) KR KS
Compiler from ZKPK+for LComCert to Covert COT statement x witness w R S FCOT for L If w witness for x in L then KR=KS, o/w KS KR KR KS L = { xs.t. w s.t.x = gw} (HV)ZKPK for L covert COT for L SIM for this ZKPK+: z $ , e $ a = F(x,e,z) = gz / xe a = gr C=COM( ) e $ z = r + ew • Covertness from malicious S: • covert COM [ElGamal] • z $ (by ZKPK+) • SPHF non-interactive SPHF[ C=COM(F(x,e,z)) ] KR KS
Compiler from ZKPK+for LComCert to Covert COT statement x witness w R S FCOT for L If w witness for x in L then KR=KS, o/w KS KR KR KS L = { xs.t. w s.t.x = gw} (HV)ZKPK for L covert COT for L SIM for this ZKPK+: z $ , e $ a = F(x,e,z) = gz / xe a = gr C=COM( ) e $ z = r + ew Covertness from malicious R: (case1) CCOM(F(x,e,z)) then KS R’s view of SPHF SPHF[ C=COM(F(x,e,z)) ] KR KS
Compiler from ZKPK+for LComCert to Covert COT statement x witness w R S FCOT for L If w witness for x in L then KR=KS, o/w KS KR KR KS L = { xs.t. w s.t.x = gw} (HV)ZKPK for L covert COT for L SIM for this ZKPK+: z $ , e $ a = F(x,e,z) = gz / xe a = gr C=COM( ) e $ z = r + ew Covertness from malicious R: (case2) C=COM(F(x,e,z)) then Forking Lemma w Ext( (e,z) , (e’,z’) ) SPHF[ C=COM(F(x,e,z)) ] KR KS
Extensions / Open Problems (?) (?) • Covert 2PC for any F in CRS in O(1) rounds • Definitions: Composable Covert MPC ? • Shorter Covert Authentication (EC with Bilinear Map) • Stronger Covert Authentication: Full-Fledged AKE • Other Revocation Models • Other Applications of Covertness
Extensions / Open Problems • Covert 2PC for any F in CRS in O(1) rounds • Shorter Covert Authentication (EC with Bilinear Map) • Stronger Covert Authentication: Full-Fledged AKE • Other Revocation Models • Other Applications of Covertness … Many Others Topics in Covert Computation to Explore!