© 2009 IBM Corporation

Credential-Authenticated Identification and Key Exchange

Jan Camenisch, Nathalie Casati, Thomas Gross and Victor Shoup 15 August 2010

2 © 2009 IBM Corporation

erasures adaptive

Alice and Bob want to talk...IBM Presentation Template Full Version

CAKE

3 © 2009 IBM Corporation

Secret Handshake

PAKE*

PAKE

What to do with a CAKE?

4 © 2009 IBM Corporation

Solution

IBM Presentation Template Full Version

Problem Tools

5 © 2009 IBM Corporation

IBM Presentation Template Full Version

What's the CAKE ideal functionality?

What's key ideal world building block?

What challenges to solve for CAKE?

Problem

6 © 2009 IBM Corporation

What's the Strong CAKE ideal functionality?Assummption:

Secure channel

Clarify: this is strongCAKE

1. Await inputs

2. On

With corruption else

7 © 2009 IBM Corporation

What is the enhanced zero knowledge ideal functionality?

1. On input such that send

2. Wait for

3. On input send to P

[Can2005]

8 © 2009 IBM Corporation

How to overcome dependency?

How to realize CAID protocols?

How torealize ?

How to construct CAID?

Protocols for useful relations?

9 © 2009 IBM Corporation

IBM Presentation Template Full Version

How to bootstrap an authenticated channel?

How to realize UC EZK?

How to prove equality?

Tools

10 © 2009 IBM Corporation

How to bootstrap an authenticated channel?Faites vos

jeux...

[BCLPR2005]

EITHER: OR:

11 © 2009 IBM Corporation

How to realize two-party split key exchange efficiently?

DH KE

Split Fn?

allAllows us to UC-realize split multi-

session secure channels under DDH.

12 © 2009 IBM Corporation

[JarLys2000]Committed proof

[MacYan2003]SSTC trapdoor commitment

How to realize enhanced zero-knowledge?

UCZK

[GaMaYa2003]Paillier encrypt and commit

Proof of representation

CRS CRS'

[GaMaYa2003, JarLys2000]

StrongRSA

13 © 2009 IBM Corporation

How to prove equality? Are secrets andequal?

Encrypts

tz

Random

[CraSho1998, JarLys2000]

UC-realize for under DDH assumption in the hybrid model.

KeyGen

Decrypt

Random

Mangle

Non-committing encryption

14 © 2009 IBM Corporation

IBM Presentation Template Full Version

How to put it all together?

How to prove the protocols UC secure?

Solution

15 © 2009 IBM Corporation

How to put it together and prove it UC secure?

DDH

CRS

Strong CAID

16 © 2009 IBM Corporation

How to put it together and prove it UC secure?

DDH

CRS

CDH

CRS

SPLITDDH

CRS

SPLIT

Strong CAID CAID

17 © 2009 IBM Corporation

DerivedProtocols

PAKE secure against adaptive corruptions, UC-secure under DDH, w/o ROM.PAKE* secure against adaptive corruptions and server compromise, UC-secure under DDH.

CAID* for : UC-secure under CDH.CAID* for : UC-secure under DDH.Split transformation to CAID.Split multi-session KE: UC-secure under DDH

Adaptive corruptions with erasuresCorruptionModel

SystemParameters

GeneralProtocols

Summary

of prime order , generator .Joint access to CRS (for & UCZK realization)

[http://eprint.iacr.org/2010/055]

© 2009 IBM Corporation

Credential-Authenticated Identification and Key ExchangeSpeaker: Thomas Gross (thomasgross@acm.org, thomasgross.net)Extended Version on IACR ePrint: http://eprint.iacr.org/2010/055

Jan Camenisch, Nathalie Casati, Thomas Gross and Victor Shoup 15 August 2010

19 © 2009 IBM Corporation

BACKUP

20 © 2009 IBM Corporation

How to realize CAID?

RandomRandom

Ifthenelse

Ifthenelse CAID:

local data

21 © 2009 IBM Corporation

How to prove the protocols UC secure?

CDH

CRS

DDH

CRS

CDH

CRS

DDH

CRS

==

SPLIT

SPLIT