Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1
Part VI
Composition
8th BIU Winter School on Key Exchange, 2018
Marc Fischlin
Marc Fischlin | BIU Winter School 2018 | 2
Secure Composition
key exchange
channel
secu
resecu
resecu
re?
Note: We want provable security of composition!
Marc Fischlin | Real World Crypto | SS 2017 | 3
Compositional Security of
Bellare-Rogaway Key Exchange
Marc Fischlin | BIU Winter School 2018 | 4
Composition with any SymKey-Protocol
key exchange
key K key KEnc(K,m)
Enc(K,m‘)
Attack on composed protocol:
adversary tries to find out m and/or m‘
no REVEAL queries on
composed protocol
but multiple instances
Brzuska, Fischlin, Warinschi, Williams: Composability of Bellare-Rogaway key exchange protocols, CCS 2011
Canetti, Krawczyk: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels, Eurocrypt 2001
Marc Fischlin | BIU Winter School 2018 | 5
Prerequisites for Composition Result (I)
1. Key-exchange protocol
needs to be forward secret
This channel session may
have already started… …when corrupt on this party comes
key K1 key K2 key K3 key K4
Marc Fischlin | BIU Winter School 2018 | 6
Prerequisites for Composition Result (II)
1. Key-Exchange-Protocol
needs to be forward secret
key K1 key K2 key K3 key K4
2. We need to know session
partners via transcripts
(public session matching)
Marc Fischlin | BIU Winter School 2018 | 7
Proof Idea (I)
key K1 key K2 key K3 key K4
1. Replace keys (step-by-step) by random entries $
2. Each time replace partner key by same random string $
$1 $1$2 $2
Marc Fischlin | BIU Winter School 2018 | 8
Proof Idea (II)
key K1 key K2 key K3 key K4
1. Replace keys (step-by-step) by random entries $
2. Each time replace partner key by same random string $
$1 key K1$1$2 $2
3. Key exchange protocol has become irrelevant
4. Adversary attacks (multi-instances of) symmetric protocol
Marc Fischlin | Real World Crypto | SS 2017 | 9
Simulation-based Security
Marc Fischlin | BIU Winter School 2018 | 10
So far: Game-based Security
real key in TEST session random key in TEST session
Marc Fischlin | BIU Winter School 2018 | 11
Simulation-based Security
Function
F
Whatever an adversary can learn
when attacking real protocol,
can be learned by a simulator
in ideal world where
F performs task securely.
„Real World“ „Ideal World“
Adversary A : Simulator S: REAL IDEAL
real-world
adversaryideal-world
adversary
Marc Fischlin | BIU Winter School 2018 | 12
Rule of Thumb
Protocol complexity( ) Protocol complexity( )
Security guarantees( ) Security guarantees( )
sometimes identical:
semantically secure encryption = IND-CPA
sometimes different:
ZK proofs > WI proofs
Marc Fischlin | Real World Crypto | SS 2017 | 13
Universal Composition (UC)
Marc Fischlin | BIU Winter School 2018 | 14
General Composition Problem
Other Protocol executions may interfere with execution in question
(input/output behavior, timing of messages,…)
Marc Fischlin | BIU Winter School 2018 | 15
Towards General Composition
Move other executions
into abstract environment
Marc Fischlin | BIU Winter School 2018 | 16
Adversary A: Simulator S: Environments Z: REAL IDEAL
Universally Composable Security
provides inputs
and reads outputs
instructs adversary
and asks for information
Function
F
Canetti: Universally Composable Security: A New Paradigm for Cryptographic Protocols, FOCS 2001
Marc Fischlin | BIU Winter School 2018 | 17
UC is specialCanetti, Fischlin: Universally Composable Commitment Schemes, Crypto 2001
Encryption
Stand-alone model UC model
Commitments
Encryption
Commitments
(at least without setup)
Marc Fischlin | BIU Winter School 2018 | 18
Ideal Commitment (simplified)
(sid,commit,b,R)
store (sid,b,R)
(sid,open)
(sid,opened,b)
Fcom to R
Marc Fischlin | BIU Winter School 2018 | 19
Impossibility of UC Commitments (I)
3. (commit,b)
1. Corrupt Receiver
2. Flip bit b
3. (commit,b)
4. open
1. Corrupt Receiver
5. verify opening against b
4. open
Command Receiver to act honestly
and to report all incoming messages
Fcom
Marc Fischlin | BIU Winter School 2018 | 20
Impossibility of UC Commitments (II)
2. Flip bit b
3. (commit,b)
1. Corrupt Receiver
5. verify opening against b
4. open
Command Receiver to act honestly
and to report all incoming messages
Fcom
in 3. simulator S would have to
report commitment communication
before learning b
Communication with Receiver
is binding
Simulator is wrong
with probability 1/2
Marc Fischlin | Real World Crypto | SS 2017 | 21
Universally Composable
Key Exchange
Marc Fischlin | BIU Winter School 2018 | 22
Ideal Key Exchange (simplified)
(sid,init-session,C,S)store (sid,C,S)
(sid,C,S,K)
FKE
Canetti, Krawczyk: Universally Composable Notions of Key Exchange and Secure Channels, Eurocrypt 2002
If there exists already (sid,S,C) then
(a) if both parties honest, pick key K
and send it to both parties
(b) if one corrupt, ask adversary
about key value K and
send it to honest party
Marc Fischlin | BIU Winter School 2018 | 23
The Commitment Problem, again
(assume authenticated links)
2. Corrupt before receiving gy
Simulator S would have
to provide secret x
before knowing key K
1. Wait for party to output key K
Marc Fischlin | BIU Winter School 2018 | 24
ACKnowledgements to Rescue
ACK-property:
If corruption happens,
then simulator can provide
consistent(-ly looking) state
(given key K)
ISO/IEC 9798-3 / SIG-DH is
UC-secure key exchange protocol
Marc Fischlin | BIU Winter School 2018 | 25
Equivalence of CK and UC
Stand-alone model UC model
UC-secure KECK-secure KE
(with ACK-property)
Marc Fischlin | Real World Crypto | SS 2017 | 26
The End