CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas Gross
-
Upload
thomas-gross -
Category
Documents
-
view
358 -
download
0
description
Transcript of CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas Gross
© 2009 IBM Corporation
Credential-Authenticated Identification and Key Exchange
Jan Camenisch, Nathalie Casati, Thomas Gross and Victor Shoup 15 August 2010
2 © 2009 IBM Corporation
erasures adaptive
Alice and Bob want to talk...IBM Presentation Template Full Version
CAKE
3 © 2009 IBM Corporation
Secret Handshake
PAKE*
PAKE
What to do with a CAKE?
4 © 2009 IBM Corporation
Solution
IBM Presentation Template Full Version
Problem Tools
5 © 2009 IBM Corporation
IBM Presentation Template Full Version
What's the CAKE ideal functionality?
What's key ideal world building block?
What challenges to solve for CAKE?
Problem
6 © 2009 IBM Corporation
What's the Strong CAKE ideal functionality?Assummption:
Secure channel
Clarify: this is strongCAKE
1. Await inputs
2. On
With corruption else
7 © 2009 IBM Corporation
What is the enhanced zero knowledge ideal functionality?
1. On input such that send
2. Wait for
3. On input send to P
[Can2005]
8 © 2009 IBM Corporation
How to overcome dependency?
How to realize CAID protocols?
How torealize ?
How to construct CAID?
Protocols for useful relations?
9 © 2009 IBM Corporation
IBM Presentation Template Full Version
How to bootstrap an authenticated channel?
How to realize UC EZK?
How to prove equality?
Tools
10 © 2009 IBM Corporation
How to bootstrap an authenticated channel?Faites vos
jeux...
[BCLPR2005]
EITHER: OR:
11 © 2009 IBM Corporation
How to realize two-party split key exchange efficiently?
DH KE
Split Fn?
allAllows us to UC-realize split multi-
session secure channels under DDH.
12 © 2009 IBM Corporation
[JarLys2000]Committed proof
[MacYan2003]SSTC trapdoor commitment
How to realize enhanced zero-knowledge?
UCZK
[GaMaYa2003]Paillier encrypt and commit
Proof of representation
CRS CRS'
[GaMaYa2003, JarLys2000]
StrongRSA
13 © 2009 IBM Corporation
How to prove equality? Are secrets andequal?
Encrypts
tz
Random
[CraSho1998, JarLys2000]
UC-realize for under DDH assumption in the hybrid model.
KeyGen
Decrypt
Random
Mangle
Non-committing encryption
14 © 2009 IBM Corporation
IBM Presentation Template Full Version
How to put it all together?
How to prove the protocols UC secure?
Solution
15 © 2009 IBM Corporation
How to put it together and prove it UC secure?
DDH
CRS
Strong CAID
16 © 2009 IBM Corporation
How to put it together and prove it UC secure?
DDH
CRS
CDH
CRS
SPLITDDH
CRS
SPLIT
Strong CAID CAID
17 © 2009 IBM Corporation
DerivedProtocols
PAKE secure against adaptive corruptions, UC-secure under DDH, w/o ROM.PAKE* secure against adaptive corruptions and server compromise, UC-secure under DDH.
CAID* for : UC-secure under CDH.CAID* for : UC-secure under DDH.Split transformation to CAID.Split multi-session KE: UC-secure under DDH
Adaptive corruptions with erasuresCorruptionModel
SystemParameters
GeneralProtocols
Summary
of prime order , generator .Joint access to CRS (for & UCZK realization)
[http://eprint.iacr.org/2010/055]
© 2009 IBM Corporation
Credential-Authenticated Identification and Key ExchangeSpeaker: Thomas Gross ([email protected], thomasgross.net)Extended Version on IACR ePrint: http://eprint.iacr.org/2010/055
Jan Camenisch, Nathalie Casati, Thomas Gross and Victor Shoup 15 August 2010
19 © 2009 IBM Corporation
BACKUP
20 © 2009 IBM Corporation
How to realize CAID?
RandomRandom
Ifthenelse
Ifthenelse CAID:
local data
21 © 2009 IBM Corporation
How to prove the protocols UC secure?
CDH
CRS
DDH
CRS
CDH
CRS
DDH
CRS
==
SPLIT
SPLIT