Upload
savion-gillson
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
Pairwise Key Agreement in Broadcasting Networks
- 2005.11.11- Ik Rae Jeong
Contents
I. Security Notions of Key ExchangeII. Type of NetworksIII. Key Agreement for Key Graphs
I. Security Notions of Key Exchange
• IA (Implicit Authentication)– Only a designated party can calculate the same sessio
n key. Dishonest parties can not get any information about the session key.
• KI (Key Independence)– security against Denning-Sacco attacks (known key attacks)– for the cases when other session keys are revealed
• FS (Forward Secrecy)– for the cases when long-term secrets are revealed
II. Types of Network
• half-duplex
• full-duplex
1m
2m
3m
4m
1m
2m
3m
4m
4 Rounds
2 Rounds
Alice Bob
Alice Bob
II. Types of Network
• Broadcasting Network
11m 21m 31m 41mRound 1
P1 P4P3P2
12m 22m 32m 42mRound 2
DH (half-duplex)
ag
bg
( )b ask g ( )a bsk g
Alice Bob
2 Rounds
DH (full-duplex)
ag
bg
( )b ask g ( )a bsk g
Alice Bob
1 Round
Session Identifier
• The unique string per session• Used to define matching session in
the definition of security of key exchange
• In the full-duplex channel: the message concatenation by the
ordering of owners
III. Key Agreement for Key Graphs
• We have constructed more efficient key exchange schemes which provides pairwise key exchange between parties via randomness re-use technique.
Sequential Key Exchangebetween Parties
P1
P4 P3
P2
Concurrent Key Exchangebetween Parties
P1
P4 P3
P2
Motivation
• How do we efficiently do concurrent execution of the two-party key exchange scheme ?
Our Results
• An efficient one-round key exchange scheme providing key independence in the standard model
• A two-round key exchange scheme providing forward secrecy in the standard model
Key Graphfor Session keys (1)
P1
P4 P3
P2G={V,E}V={P1,P2,P3,P4}E={(P1,P2),(P1,P3),(P1,P4)}
G={V,E}V={P1,P2,P3,P4}E={(P1,P2),(P2,P3),(P3,P4), (P4,P1)}
P1
P4 P3
P2
Key Graphfor Session keys (2)
G={V,E}V={P1,P2,P3,P4}E={(P1,P2),(P1,P3), (P2,P4), (P2,P5), (P3,P6), (P3,P7)}
G={V,E}V={P1,P2,P3,P4}E={(P1,P2),(P1,P3),(P1,P4), (P2,P3),(P2,P4),(P3,P4)}
P1
P4 P3
P2
P1
P4
P3P2
P5 P6 P7
Key Exchange Model for Key Graphs
• Broadcasting network• Several session keys in a single
session
One-Round Two-Party Diffie-Hellman Key Exchange
P1 P2
1g2g
1 2sk g
One-Round Concurrent Key Exchange using Two-Party Key Exchange
P1
P4 P3
P2
1,1g2g
1,1 2
1,2sk g
3g4g
1,2 3
1,3sk g 1,3 4
1,4sk g
1,2g1,3g
P1 requires three random values.
One-Round Concurrent Key Exchange using randomness re-use technique
P1
P4 P3
P2
1g 2g1 2
1,2sk g
3g4g
1 31,3sk g
1 41,4sk g
P1 requires one random values.
Randomness Re-useunder the DDH assumption
• Pairwise DDH assumption 1
11 1 2
1,2 1,1
1 1,2 1,
{0,1};
,..., , ,..., [1, ];
1, ( ,..., , ,..., );
( ,..., , ,..., );
' ( );
n n n
n nn
n n n
w w
b
w w q
if b I g g g g
else I g g g g
b A I
Exp
2Pr[ '] 1AAdv b b
Randomness Re-useunder the DDH assumption
• Pairwise DDH assumption 2
' ' 11 2
11 2
1
1
{0,1};
,..., , [1, ];
', ' ( ,..., )
1, ( ,..., ,..., );
( ,..., ,..., );
' ( );
i j n n
n n
n
n
w
b
w q
i j A
if b I g g g
else I g g g
b A I
Exp
2Pr[ '] 1AAdv b b
PKA1
P1 P4P3P2
1r 2r 3r 4r
11
xy g 22
xy g 33
xy g 44
xy g
1 2
1 3
1 4
1,2
1,3
2 3
1 4
1 4
,
( )
(
|| ||
)
( )
||
x x
x x
x x
g
g
g
sk F sid
sk F sid
s
sid r r r r
k F sid
Round 1:
KI in the standard model
F is a pseudo random function
PKA2
P1 P4P3P2
11
xy g 22
xy g 33
xy g 44
xy g
. ( )iii xS gen g
11||g 2
2||g 33||g 4
4||g Round 1:
1 2
1 3
1 4
1,2
1,3
1,4
sk g
sk g
sk g
FS in the standard model
Security
• PKA1 and PKA2 – reduced to the DDH problem in the
standard model
Discussion
• Key exchange for key graph is an extension of two-party key exchange.
• Key exchange for key graph can be used as a subprotocol of another protocol such as group key exchange protocols.
Thank You !