Research on Password-Authenticated Group Key Exchange
description
Transcript of Research on Password-Authenticated Group Key Exchange
TCC 2006TCC 2006
Research on Password-Authenticated Group Key Exchange
Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.)
Kouchi Sakurai (Kyushu Univ.)
March 5, 2006
• A fundamental problem in cryptography is how to communicate securely over an insecure channel.
MotivationMotivation
sk sk
data privacy/integrity
How can we obtain a secret session key?
• Public-key encryption or signature– too high for certain applications
• Password-Authenticated Key Exchange (PAKE)– PAKE allows to share a secret key between specified
parties using just a human-memorable password.
– convenience, mobility, and less hardware requirement
– no security infrastructure
MotivationMotivation
Classification of PAKEClassification of PAKE
According to the number of parties sharing a session key
According to the sameness of pre-shared passwords
Parties with same passwords
Parties with different passwords
According to the need of servers
Model requiring help of server
Model not requiring help of server
Two-party
Multi-Party (Group)
According to the password f orm using by client and server
Symmetric model
Asymmetric model (Verifier-based model)
According to the number of parties sharing a session key
According to the sameness of pre-shared passwords
Parties with same passwords
Parties with different passwords
According to the need of servers
Model requiring help of server
Model not requiring help of server
Two-party
Multi-Party (Group)
According to the password f orm using by client and server
Symmetric model
Asymmetric model (Verifier-based model)
Our research topic on PAKEOur research topic on PAKE
- Password-Authenticated Group Key Exchange (PAGKE) -
Group with sk
PAGKE : PAGKE : SettingSetting
• A broadcast group consisting of a set of users– each user holds a low-entropy secret (pw)
pw
pw pw
pw
Previous WorkPrevious Workss
• “Efficient Password-Based Group Key Exchange” (Trust-Bus ’04) - S. M. Lee, J. Y. Hwang, and D. H. Lee.
– a provably secure constant-round PAGKE protocol– forward-secure and secure against known-key attacks
– ideal-cipher and ideal-hash assumptions
• “Password-based Group Key Exchange in a Constant Number of Rounds” (PKC ’06) - Abdalla,
E. Bresson, O. Chevassut, and D. Pointcheval.
– a provably secure constant-round PAGKE protocol– secure against known-key attacks– ideal-cipher and ideal-hash assumptions
Our GoalOur Goal
• The focus of this work is to provide a provably-secure constant-round PAGKE protocol without using the random oracle model.
Preliminary for protocolPreliminary for protocol
• Public information
– G : a finite cyclic group has order q
– p : a safe prime such that p=2q+1
– g1,g2 : generators of G
– H : a one-way hash function – F : a pseudo random function family
Burmester and DesmedtBurmester and Desmedt’s Protocol’s Protocol
U1 U2 U3 U4
11 1
rX gR1
R2
12
41
rr
r
gY
g
23
12
rr
r
gY
g
34
23
rr
r
gY
g
41
34
rr
r
gY
g
1u
2u
3u4u
22 1
rX g 33 1
rX g 44 1
rX g2 Rr G 4 Rr G
3 Rr G1 Rr G
4 1 1 2
2 3 3 4
4 43 2 3 21 1 2 3 2 2 3 4
4 43 2 3 23 3 4 1 4
1 2
3 4 4 1 2
: , :
: , :
r r r r
r r r r
U U
U
sk g X X X sk g X X X
sk g X X X s XU k g X X
1 2 2 3 3 4 4 1 modr r r r r r r rsk g p M. Burmester and Y. Desmedt. “A Secure and Efficient Conference Key Distribution System,” In Proc. of EUROCRYPT
’94.
ProtocolProtocol
U1 U2 U3 U4
1 1( || )21 1H pr U wX g g R1
R2
12
41
rr
r
gY
g
23
12
rr
r
gY
g
34
23
rr
r
gY
g
41
34
rr
r
gY
g
4 1 1 2
2 3 3 4
4 43 2 3 21 1 2 3 2 2 3 4
4 43 2 3 23 3 4
1 2
13 14 4 4 2
: , :
: , :
r r r r
r r r r
U U
U
k g Y Y Y k g Y Y Y
k g Y Y Y U k g Y Y Y
1u
2u
3u4u
1 2 2 3 3 4 4 1
1 4 1 4 1 4( || ... || || || ... || || || ... || ),k
r r r r r r r r
sk F U U X X Y Y
where k g
2 2( || )22 1H pr U wX g g 3 3( || )
23 1H pr U wX g g 4 4( || )
24 1H pr U wX g g
2 Rr G 4 Rr G3 Rr G1 Rr G
Security Measurement
• Security theorem
where t is the maximum total game time including an adversary’s running time, and an adversary makes qex execute-queries, qse send-queries. n is the upper bound of the number of the parties in the game, Ns is the upper bound of the number of sessions that an adversary makes, PW is the size of a password space.
• Under the intractability assumption of the DDH problem and if F is a secure pseudo random function family, the proposed protocol is secure against dictionary attacks and known-key attacks, and provides forward secrecy.
2)2 ,
pagke-kk&fs ddh prf se se e
s se G F
2q n(q qAdv (n+2n N +q ) Adv Adv
PW qPAGKE ex se(t,q ,q ) () () + + +