Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf ·...
Transcript of Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf ·...
![Page 1: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/1.jpg)
2018-06-11
Horst Görtz Institute for IT Security
Chair for Network and Data Security
Generalization and Modularization of the ACCE Model
SKECH Workshop
Benjamin Dowling, Paul Rösler, Jörg Schwenk
![Page 2: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/2.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 2
Agenda
• Key Exchange + Channel = ?
• Generalization of ACCE
• Modularization of ACCE
• Application to Noise
![Page 3: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/3.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 3
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
●
k k
![Page 4: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/4.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 4
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
●
k k
m m
f(k)
![Page 5: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/5.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 5
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
●
k
m m
f(k)
k
![Page 6: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/6.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 6
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol CCS14
●
k k
k k
k k
![Page 7: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/7.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 7
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol CCS14
●
k k
m m
c
k k
m m
c
k k
m m
![Page 8: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/8.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 8
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol CCS14
●
k k
m m
c
k k
m m
c
k k
m m
Authentication from first message
![Page 9: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/9.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 9
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol + DFGS15
●
k k
m m
c
k k
m m
c
k k
m m
Authentication more modular
![Page 10: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/10.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 10
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol + DFGS15 +
FG17
●
k k
m m
c
k k
m m
c
k k
m mReplay attacks
allowed, internal keys…?!
![Page 11: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/11.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 11
c
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol + DFGS15 +
FG17
●
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 12: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/12.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 12
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol + DFGS15 +
FG17
• Two stage channel establishment
• Lychev et al.: How Secure and Quick is QUIC?
Provable Security and Performance Analyses
S&P15
●
c
k k
m m
c
k k
m m
f(k)
![Page 13: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/13.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 13
Key Exchange + Channel = ?
• Key exchange then symmetric protocol
• Brzuska et al.: Composability of Bellare-Rogaway
Key Exchange Protocols CCS11
• Channel establishment• Jager et al.: On the Security of TLS-DHE in the
Standard Model C12
• Key exchange and symmetric protocol
• Fischlin, Günther: Multi-Stage Key Exchange and
the Case of Google's QUIC Protocol + DFGS15 +
FG17
• Two stage channel establishment
• Lychev et al.: How Secure and Quick is QUIC?
Provable Security and Performance Analyses
S&P15
• What is so new about it?
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 14: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/14.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 14
c
Generic and Modular ACCE
• What is so new about it?• Generic model
(i.e., independent ofanalyzed protocol)
●
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 15: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/15.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 15
c
Generic and Modular ACCE
• What is so new about it?• Generic model
(i.e., independent ofanalyzed protocol)
• Channel security under key usage in KE, full modularity for security properties
●
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 16: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/16.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 16
Generic and Modular ACCE
• What is so new about it?• Generic model
(i.e., independent ofanalyzed protocol)
• Channel security under key usage in KE, full modularity for security properties
• Allows to analyze protocols as they are
• Signal*
• Noise
→ Wireguard
* Composition of X3DH and DRAlg?
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 17: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/17.jpg)
Key Exchange + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
![Page 18: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/18.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 18
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 19: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/19.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 19
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 20: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/20.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 20
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 21: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/21.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 21
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)• First ping-pong, then concurrency not mandatory (e.g., channel per stage bidirectional)
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 22: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/22.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 22
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)• First ping-pong, then concurrency not mandatory (e.g., channel per stage bidirectional)• Length-hiding an intrinsic property?
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 23: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/23.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 23
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)• First ping-pong, then concurrency not mandatory (e.g., channel per stage bidirectional)• Length-hiding an intrinsic property?• Initiator = client, responder = server, unilateral authentication = server authentication?
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 24: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/24.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 24
Generalization of ACCE
• ACCE modeled with TLS 1.2 in mind
• QACCE modeled with QUIC in mind
• ACCE is an own primitive
contains whole transcript
• Generically:• No distinct key (e.g., suppose asymmetric PKE channels)• No pre-/post accept phase (see e.g., QUIC, TLS 1.3, Noise)• First ping-pong, then concurrency not mandatory (e.g., channel per stage bidirectional)• Length-hiding an intrinsic property?• Initiator = client, responder = server, unilateral authentication = server authentication?
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 25: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/25.jpg)
Key Exchange + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
![Page 26: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/26.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 26
Modularization of ACCE
• Channel can provide several properties• Authentication
• KCI resistance
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 27: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/27.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 27
Modularization of ACCE
• Channel can provide several properties• Authentication
• KCI resistance
• Forward secrecy
• Resistance against replay attacks
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 28: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/28.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 28
Modularization of ACCE
• Channel can provide several properties• Authentication
• KCI resistance
• Forward secrecy
• Resistance against replay attacks
• Resistance against weak randomness
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 29: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/29.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 29
Modularization of ACCE
• Channel can provide several properties• Authentication
• KCI resistance
• Forward secrecy
• Resistance against replay attacks
• Resistance against weak randomness
• We keep channel simple (i.e., stAE)
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 30: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/30.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 30
Modularization of ACCE
• Channel can provide several properties• Authentication
• KCI resistance
• Forward secrecy
• Resistance against replay attacks
• Resistance against weak randomness
• We keep channel simple (i.e., stAE)
• Properties can be reached…• … for each party separately
●
c
k k
m m
c
k k
m m
c
k k
m m
f(k)
![Page 31: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/31.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 31
Modularization of ACCE
• Channel can provide several properties• Authentication
• KCI resistance
• Forward secrecy
• Resistance against replay attacks
• Resistance against weak randomness
• We keep channel simple (i.e., stAE)
• Properties can be reached…• … for each party separately
• … at different stages during the protocol execution (via round trips [RTs])
●
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
![Page 32: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/32.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 32
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• Round trips:
●
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
![Page 33: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/33.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 33
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• Round trips:• Interaction between parties
• Denote epochs in communication
●
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
![Page 34: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/34.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 34
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• Round trips:• Interaction between parties
• Denote epochs in communication
• No keys to defines stages (as in MS-KE)
●
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
![Page 35: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/35.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 35
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• Round trips:• Interaction between parties
• Denote epochs in communication
• No keys to defines stages (as in MS-KE)
• Usual in KE, ratcheting (see Signal, Bertram’s talk)
●
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
![Page 36: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/36.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 36
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• Round trips:• Interaction between parties
• Denote epochs in communication
• No keys to defines stages (as in MS-KE)
• Usual in KE, ratcheting (see Signal, Bertram’s talk)
• Further extension within RTs• Too complex for the use-case here
●
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
m
m…m
![Page 37: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/37.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 37
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• For each party separately:
●
m
m
m
m
m
m
…
…
…
![Page 38: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/38.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 38
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• For each party separately:• Authentication A-to-B with message A-to-B
●
m
m
m
m
m
m
…
…
…
![Page 39: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/39.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 39
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• For each party separately:• Authentication A-to-B with message A-to-B
• E.g. resistance against weak randomnessnot direction-dependent
●
m
m
m
m
m
m
…
…
…
![Page 40: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/40.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 40
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• For each party separately:• Authentication A-to-B with message A-to-B
• E.g. resistance against weak randomnessnot direction-dependent
• 5*2+1 counters index our security definition:aui,aur, kci,kcr, fsi,fsr, rpi,rpr, ori,orr,eck ∈ {0,0.5,1,1.5,… ,∞}
●
m
m
m
m
m
m
…
…
…
![Page 41: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/41.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 41
Modularization of ACCE
• Properties can be reached…• … for each party separately
• … at different stages during theprotocol execution (via RTs)
• For each party separately:• Authentication A-to-B with message A-to-B
• E.g. resistance against weak randomnessnot direction-dependent
• 5*2+1 counters index our security definition:aui,aur, kci,kcr, fsi,fsr, rpi,rpr, ori,orr,eck ∈ {0,0.5,1,1.5,… ,∞}
●
m
m
m
m
m
m
…
…
…
![Page 42: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/42.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 42
Modularization of ACCE
• Adversary has to guess a challenge bit• Enc and Dec embed challenges (stAE)
●
m
m
m
m
m
m
…
…
…
![Page 43: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/43.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 43
Modularization of ACCE
• Adversary has to guess a challenge bit• Enc and Dec embed challenges (stAE)
• Adversarial behavior leaks bits of someRTs, but some must stay secure
→ Challenge bits for each RT
●
m
m
m
m
m
m
…
…
…
![Page 44: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/44.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 44
Modularization of ACCE
• Adversary can• Actively attack sessions
• Corrupt parties
• Reveal session randomness
●
m
m
m
m
m
m
…
…
…
![Page 45: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/45.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 45
Modularization of ACCE
• Adversary can• Actively attack sessions
• Corrupt parties
• Reveal session randomness
• Reveal session states• There are no keys anymore (by syntax)
●
m
m
m
m
m
m
…
…
…
![Page 46: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/46.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 46
Modularization of ACCE
• Adversary can• Actively attack sessions
• Corrupt parties
• Reveal session randomness
• Reveal session states• There are no keys anymore (by syntax)
• What does independence of sessions mean inprotocols of long duration (idea of Reveal in BR93)?
●
m
m
m
m
m
m
…
…
…
![Page 47: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/47.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 47
Modularization of ACCE
• Adversary can• Actively attack sessions
• Corrupt parties
• Reveal session randomness
• Reveal session states• There are no keys anymore (by syntax)
• What does independence of sessions mean inprotocols of long duration (idea of Reveal in BR93)?
• What are the effects of replay attacks w.r.t. session independence?
●
m
m
m
m
m
m
…
…
…
![Page 48: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/48.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 48
Modularization of ACCE
• Resistance against replay attacks• Within session modeled by stateful AE
●
m
m
m
m
m
m
…
…
…
![Page 49: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/49.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 49
Modularization of ACCE
• Resistance against replay attacks• Within session modeled by stateful AE
• Inter session: Impact of state Reveal
• Not only dependents on symmetric key
• Also on ephemeral asymmetric secrets
●
m
m
m
m
m
m
…
…
…
gB
ga
f(gaB)
![Page 50: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/50.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 50
Modularization of ACCE
• Resistance against replay attacks• Within session modeled by stateful AE
• Inter session: Impact of state Reveal
rpi,rpr denote RT after which revealedstate cannot be used to reestablishsession
• Not only dependents on symmetric key
• Also on ephemeral asymmetric secrets
●
m
m
m
m
m
m
…
…
…
gB
ga
f(gaB)
![Page 51: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/51.jpg)
Key Exchange + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
![Page 52: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/52.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 52
Application to Noise
• Protocol framework for channel establishment• using DH group, AEAD, hash function, KDF
• for different scenarios (15 patterns):
●
![Page 53: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/53.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 53
Application to Noise
• Protocol framework for channel establishment• using DH group, AEAD, hash function, KDF
• for different scenarios (15 patterns):• Who knows whom a priori?
• Who should authenticate?
• How fast should messages be transmitted?
• Which further properties shall be reached(forward secrecy, identity hiding, …)?
●
![Page 54: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/54.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 54
Application to Noise
• Protocol framework for channel establishment• using DH group, AEAD, hash function, KDF
• for different scenarios (15 patterns):
• implemented in Java, C, Haskell, Python, Javascript, …
• used in WhatsApp, Wireguard, Slack, …
• for homogenous networks(i.e., all parties are configured equally)
●
![Page 55: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/55.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 55
Application to Noise
• Protocol framework for channel establishment• using DH group, AEAD, hash function, KDF
• for different scenarios (15 patterns):
• implemented in Java, C, Haskell, Python, Javascript, …
• used in WhatsApp, Wireguard, Slack, …
• for homogenous networks(i.e., all parties are configured equally)
• Security claimed but not proven yet• Concurrent work by Nadim Kobeissi
(noiseexplorer.com) using ProVerif
●
![Page 56: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/56.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 56
Application to Noise●
![Page 57: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/57.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 57
Application to Noise●
![Page 58: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/58.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 58
Application to Noise●
![Page 59: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/59.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 59
Application to Noise●
![Page 60: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/60.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 60
Application to Noise●
![Page 61: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/61.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 61
Application to Noise●
![Page 62: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/62.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 62
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
●
![Page 63: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/63.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 63
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
●
![Page 64: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/64.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 64
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
●
![Page 65: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/65.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 65
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
●
![Page 66: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/66.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 66
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
●
![Page 67: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/67.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 67
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
●
![Page 68: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/68.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 68
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
●
![Page 69: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/69.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 69
Application to Noise
• Security claimed but not proven yet• Authentication + KCI resistance
• Confidentiality + Forward secrecy+ Resistance against replay attacks
• Resistance against weak randomness
●
![Page 70: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/70.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 70
Application to Noise●
![Page 71: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/71.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 71
Application to Noise●
![Page 72: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/72.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 72
Outlook
• Generalization of ACCE
• Modularization of ACCE(as MS-KE modularizes BR93)
• Computational security proofs for Noise
![Page 73: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/73.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 73
Outlook
• Generalization of ACCE
• Modularization of ACCE(as MS-KE modularizes BR93)
• Computational security proofs for Noise
• Further extensions regarding• Intra-epoch properties• Channel properties
![Page 74: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/74.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 74
Outlook
• Generalization of ACCE
• Modularization of ACCE(as MS-KE modularizes BR93)
• Computational security proofs for Noise
• Further extensions regarding• Intra-epoch properties• Channel properties
• Further properties of Noise• Negotiation• Identity hiding
![Page 75: Generalization and Modularization of the ACCE Modelroeslpa.de/files/180626_skech_macce.pdf · Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro](https://reader034.fdocuments.in/reader034/viewer/2022052320/5f220959081f3350e46e4b2d/html5/thumbnails/75.jpg)
KE + Channel = ?
Generalization of ACCE
Modularization of ACCE
Application to Noise
Generalization and Modularization of the ACCE Model SKECH Workshop | Paul Rösler | Bertinoro | 2018-07-11 75
Outlook
• Generalization of ACCE
• Modularization of ACCE(as MS-KE modularizes BR93)
• Computational security proofs for Noise
• Further extensions regarding• Intra-epoch properties• Channel properties
• Further properties of Noise• Negotiation• Identity hiding
• Discussions• What means sessions are independent
in protocols of long duration?
• Is ACCE as bad as it is advertised?
• What can MS-KE learn from our model?
• Can abstract (MS-)KE with channel in which key is used to a higher level?