Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Covert Authentication Stanislaw Jarecki University of California at Irvine Public Key Cryptography 2014.

Published byDiane Cory Robbins Modified over 9 years ago

Similar presentations

Presentation on theme: "Practical Covert Authentication Stanislaw Jarecki University of California at Irvine Public Key Cryptography 2014."— Presentation transcript:

1 Practical Covert Authentication Stanislaw Jarecki University of California at Irvine Public Key Cryptography 2014

2 Presentation Plan 1. Introduction to Covert Computation 2. Practical Covert Authentication Protocol O(1) rounds, group elements, exponentiations… 1. Main Tool: Compiler for Covert Conditional OT’s ZKPK + (Σ-protocol) for language L  Covert Conditional OT for L 4. Extensions / Open Problems

3 Background: Secure Computation Secure Computation hides all except for what’s revealed by output A F(x,y) F x A A π for F B(y) ~  (eff.) adversary A  (eff.) simulator à s.t.  inputs y A’s interaction with à F(y) ≈ A π (y)  (eff.) adversary A  (eff.) simulator à s.t.  inputs y A’s interaction with à F(y) ≈ A π (y) ≈ ~ y B

4  Voting protocol attempt reveals a potential voter  Petition signing attempt reveals a potential signer  …  Authentication attempt reveals a member of some organization which uses the authentication protocol, no matter how credential/policy/attribute-hiding that protocol is! A F(x,y) xy B π for F Secure computation hides everything it can about B’s input… But not the fact that B engages in computation of F, which is an information in itself! Secure computation hides everything it can about B’s input… But not the fact that B engages in computation of F, which is an information in itself! Background: Secure Computation

5 Covert Computation Can we hide the fact that computation is taking place? Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F A Q: How can we hide that B follows protocol π ? A: Make π ’s messages indistinguishable from $ bits B/? π for F

6 Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F A Q: How can we hide that B follows protocol π ? A: Make π ’s messages indistinguishable from $ bits Q: How can we hide that B follows some protocol ? A: Run π over a steganographic channel (= always sends $ bits)  Network control messages, padding, timing  Pictures, music, voice, …  Encryption (e.g. VPN router), other crypto (e.g. “kleptography”) B/$ Covert Computation Can we hide the fact that computation is taking place? π for F

7 Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F A F(x,y) x Q: But doesn’t A’s output z=F(x,y) reveal that B inputs some y? A: Yes, but F outputs can look $ for many (x,y)’s  Authenticated Key Exchange  Any authenticated computation… π for F B/$ y/? Covert Computation Can we hide the fact that computation is taking place?

8 A B x yDyD Distinguishability of F from $ beacon in the ideal world: F/$ ~~ A π /$ B(y) yDyD CovDist F,D,Ã = | Pr[1Ã F(y) | yD] - Pr[1Ã $(F) ] | CovDist π,D,A = | Pr[1A π (y) | yD] - Pr[1A $( π ) ] | π covert if A Ã s.t. (1) [standard secure computation requirements] (2)  dist. D CovDist F,D,Ã ≈ CovDist π,D,A π covert if A Ã s.t. (1) [standard secure computation requirements] (2)  dist. D CovDist F,D,Ã ≈ CovDist π,D,A Distinguishability of π from $ beacon in the real world: Covert Computation Covert π = as “random” as the ideal F [vAHL05] (refined in [CGOS07])

9 Covert Computation What is currently known? A B x yDyD [vAHL05]: Defined covert 2PC, O(sec.par.)-round protocol for any F [CGOS07]: Defined covert MPC, O(sec.par.)-round protocol for any F [GJ10]: Ω(sec.par.) rounds necessary for covert 2/MPC in plain model F/$ ~~ A π /$ B(y) yDyD  Can 2PC/MPC be covert in O(1) rounds in CRS model? Probably (see the last slide)  How about a covert authentication (not necessarily a covert 2PC)? This work: 5 rounds (3 in ROM), ≈30 RSA exp.’s/party

10 Covert Authentication Definition KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme] A B (PK,Cert A ) If A has no valid (& unrevoked) cert then F Auth ≈ $[F Auth ] Covertness  w/o valid (& unrevoked) cert π Auth ≈ $[ π Auth ] F Auth If Ver(PK,Cert A ) and Ver(PK,Cert B ) then K A = K B ( $) o/w K A  K B ( $  $) (PK,Cert B ) KAKA KBKB [ + handling of CRL’s ] Our work: Game-based definition, no extraction of PK (public input) & K B

11 Covert Authentication Protocol Idea: (1) Use a “typical” Group Signature Sch. A B C A = COM(Cert A )  Revocation e.g. by ZKP that certificate in C is not on the CRL  Our work uses “verifier-local” revocation (w/o ZKP) [BS’04]  Revocation e.g. by ZKP that certificate in C is not on the CRL  Our work uses “verifier-local” revocation (w/o ZKP) [BS’04] (PK,Cert B ) (PK,Cert A ) ZKP [ (PK,C A )  L ComCert ] C B = COM(Cert B ) ZKP [ (PK,C B )  L ComCert ] L ComCert = { x=(PK,C) s.t.  w=(cert,dec) s.t. Ver(PK,cert)=1 and Decommit(C,cert,dec)=1 } KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme]

12 Covert Authentication Protocol Idea: (1) Use a “typical” Group Signature Sch. A B C A = COM(Cert A ) (PK,Cert B ) (PK,Cert A ) ZKP [ (PK,C A )  L ComCert ] KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme] P F ZKP for L If w witness for x in L then b  1, o/w b  0 V b ZKP (for non-trivial L) makes a protocol inherently non-covert ! witness w statement x = (cert,dec)= (PK,C)

13 Covert Authentication Protocol Idea: (2) Replace ZKP by Covert COT for L GrSig A B C A = COM(Cert A ) (PK,Cert B ) (PK,Cert A ) COT [ (PK,C A )  L ComCert ] KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme] F COT for L If w witness for x in L then K R =K S, o/w K R  K S KRKR KSKS R witness w = (cert,dec) S statement x = (PK,C) & K S Covertness: (1) In R’s view π COT ≈ $[ π COT ] if R has no valid w for S’s x (2) In S’s view π COT ≈ $[ π COT ] for all x Covertness: (1) In R’s view π COT ≈ $[ π COT ] if R has no valid w for S’s x (2) In S’s view π COT ≈ $[ π COT ] for all x Covert Conditional Oblivious Transfer (COT) for L (KEM version) Strong-soundness: Efficient extraction of w from covertness-breaking R

14 Covert Authentication Protocol Idea: (2) Replace ZKP by Covert COT for L GrSig A B C A = COM(Cert A ) (PK,Cert B ) (PK,Cert A ) COT [ (PK,C A )  L ComCert ] KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme] F COT for L If w witness for x in L then K R =K S, o/w K R  K S KRKR KSKS R witness w = (cert,dec) S statement x = (PK,C) & K S Encryption Conditional OT (COT) Strongly-Sound COT  Signature ZK Proof ZK Proof of Knowledge Encryption Conditional OT (COT) Strongly-Sound COT    Signature ZK Proof ZK Proof of Knowledge Covert Conditional Oblivious Transfer (COT) for L (KEM version)

15 Covert Authentication Full Protocol A B C A = COM(Cert A ) (PK,Cert B ) (PK,Cert A ) COT [ (PK,C A )  L ComCert ] KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme] KARKAR KBSKBS C B = COM(Cert B ) COT [ (PK,C B )  L ComCert ] KASKAS KBRKBR K B = K B S  K B R Covertness (assume A has no valid Cert): (1) A’s view of first COT together with K B S is ≈ $[ π COT S ] (2) A’s view of C B and of second COT is ≈ $[ π COT R ]  A’s view of the whole interaction together with K B is ≈ $ Covertness (assume A has no valid Cert): (1) A’s view of first COT together with K B S is ≈ $[ π COT S ] (2) A’s view of C B and of second COT is ≈ $[ π COT R ]  A’s view of the whole interaction together with K B is ≈ $ K A = K A R  K A S & K B S

16 Covert Authentication Full Protocol A B C A = COM(Cert A ) (PK,Cert B ) (PK,Cert A ) COT [ (PK,C A )  L ComCert ] KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme] KARKAR KBSKBS C B = COM(Cert B ) COT [ (PK,C B )  L ComCert ] KASKAS KBRKBR Covertness (assume A has no valid Cert): (1) A’s view of first COT together with K B S is ≈ $[ π COT S ] (2) A’s view of C B and of second COT is ≈ $[ π COT R ]  A’s view of the whole interaction together with K B is ≈ $ Covertness (assume A has no valid Cert): (1) A’s view of first COT together with K B S is ≈ $[ π COT S ] (2) A’s view of C B and of second COT is ≈ $[ π COT R ]  A’s view of the whole interaction together with K B is ≈ $ COT needs to assure extraction of witness w from covertness-breaking Receiver  If Adv who breaks covertness of Authentication Protocol then Reduction extracts a valid certificate (forgery) COT needs to assure extraction of witness w from covertness-breaking Receiver  If Adv who breaks covertness of Authentication Protocol then Reduction extracts a valid certificate (forgery)

17 & K S KRKR KSKS witness w S statement x Assume L = { x=([g ij ]) s.t. exits w=[w j ] s.t. g 1 = (g 11 ) w 1  (g 12 ) w 2  …  (g 1n ) w n     g m = (g m1 ) w 1  (g m2 ) w 2  …  (g 1n ) w n } Smooth Projective Hash Function (SPHF)  Covert COT but no extraction of witness w from covertness-breaking R Smooth Projective Hash Function (SPHF)  Covert COT but no extraction of witness w from covertness-breaking R [ + additive and multiplicative relations between a j ’s ] Constructing Covert COT for L ComCert F COT for L If w witness for x in L then K R =K S, o/w K R  K S R

18 R Compiler from ZKPK + for L ComCert to Covert COT KRKR KSKS witness w S statement x F COT for L If w witness for x in L then K R =K S, o/w K S  K R a = g r L = { x s.t. w s.t. x = g w } e  $ z = r + e  w (HV)ZKPK for L C=COM( ) SPHF[ C=COM(F(x,e,z)) ] If COM = ElGamal PKE then SPHF for DDH tuple [CS’98] (+ 2/3 exp’s / party) KSKS KRKR  covert COT for L SIM for this ZKPK + : z  $, e  $ a = F(x,e,z) = g z / x e

19 R Compiler from ZKPK + for L ComCert to Covert COT KRKR KSKS witness w S statement x F COT for L If w witness for x in L then K R =K S, o/w K S  K R L = { x s.t. w s.t. x = g w } SIM for this ZKPK + : z  $, e  $ a = F(x,e,z) = g z / x e Covertness from malicious S: covert COM [ElGamal] z  $ (by ZKPK + ) SPHF non-interactive a = g r e  $ z = r + e  w (HV)ZKPK for L C=COM( ) SPHF[ C=COM(F(x,e,z)) ] KSKS KRKR  covert COT for L

20 R Compiler from ZKPK + for L ComCert to Covert COT KRKR KSKS witness w S statement x F COT for L If w witness for x in L then K R =K S, o/w K S  K R L = { x s.t. w s.t. x = g w } SIM for this ZKPK + : z  $, e  $ a = F(x,e,z) = g z / x e Covertness from malicious R: (case1) C  COM(F(x,e,z)) then K S  R’s view of SPHF a = g r e  $ z = r + e  w (HV)ZKPK for L C=COM( ) SPHF[ C=COM(F(x,e,z)) ] KSKS KRKR  covert COT for L

21 R Compiler from ZKPK + for L ComCert to Covert COT KRKR KSKS witness w S statement x F COT for L If w witness for x in L then K R =K S, o/w K S  K R L = { x s.t. w s.t. x = g w } SIM for this ZKPK + : z  $, e  $ a = F(x,e,z) = g z / x e Covertness from malicious R: (case2) C = COM(F(x,e,z)) then Forking Lemma  w  Ext( (e,z), (e’,z’) ) a = g r e  $ z = r + e  w (HV)ZKPK for L C=COM( ) SPHF[ C=COM(F(x,e,z)) ] KSKS KRKR  covert COT for L

22 Extensions / Open Problems 1. Covert 2PC for any F in CRS in O(1) rounds 2. Definitions: Composable Covert MPC ? 3. Shorter Covert Authentication (EC with Bilinear Map) 4. Stronger Covert Authentication: Full-Fledged AKE 5. Other Revocation Models 6. Other Applications of Covertness  (?) (?)

23 Extensions / Open Problems 1. Covert 2PC for any F in CRS in O(1) rounds 2. Shorter Covert Authentication (EC with Bilinear Map) 3. Stronger Covert Authentication: Full-Fledged AKE 4. Other Revocation Models 5. Other Applications of Covertness … Many Others Topics in Covert Computation to Explore!  

Download ppt "Practical Covert Authentication Stanislaw Jarecki University of California at Irvine Public Key Cryptography 2014."

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.

COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

Similar presentations

Ads by Google