Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages (original) (raw)

2013, Lecture Notes in Computer Science

Authenticated Key Exchange (AKE) protocols enable two parties to establish a shared, cryptographically strong key over an insecure network using various authentication means, such as cryptographic keys, short (i.e., lowentropy) secret keys or credentials. In this paper, we provide a general framework, that encompasses several previous AKE primitives such as (Verifier-based) Password-Authenticated Key Exchange or Secret Handshakes, we call LAKE for Language-Authenticated Key Exchange. We first model this general primitive in the Universal Composability (UC) setting. Thereafter, we show that the Gennaro-Lindell approach can efficiently address this goal. But we need smooth projective hash functions on new languages, whose efficient implementations are of independent interest. We indeed provide such hash functions for languages defined by combinations of linear pairing product equations. Combined with an efficient commitment scheme, that is derived from the highly-efficient UC-secure Lindell's commitment, we obtain a very practical realization of Secret Handshakes, but also Credential-Authenticated Key Exchange protocols. All the protocols are UC-secure, in the standard model with a common reference string, under the classical Decisional Linear assumption. Motivation. PAKE, for Password-Authenticated Key Exchange, was formalized by Bellovin and Merritt [BM92] and followed by many proposals based on different cryptographic assumptions (see [ACP09,CCGS10] and references therein). It allows users to generate a strong cryptographic key based on a shared "human-memorable" (i.e. low-entropy) password without requiring a public-key infrastructure. In this setting, an adversary controlling all communication in the network should not be able to mount an off-line dictionary attack. The concept of Secret Handshakes has been introduced in 2003 by Balfanz, Durfee, Shankar, Smetters, Staddon and Wong [BDS + 03] (see also [JL09, AKB07]). It allows two members of the same group to identify each other secretly, in the sense that each party reveals his affiliation to the other only if they are members of the same group. At the end of the protocol, the parties can set up an ephemeral session key for securing further communication between them and an outsider is unable to determine if the handshake succeeded. In case of failure, the players do not learn any information about the other party's affiliation. More recently, Credential-Authenticated Key Exchange (CAKE) was presented by Camenisch, Casati, Groß and Shoup [CCGS10]. In this primitive, a common key is established if and only if a specific relation is satisfied between credentials hold by the two players. This primitive includes variants of PAKE and Secret Handshakes, and namely Verifier-based PAKE, where the client owns a password pw and the server knows a one-way transformation v of the password only. It prevents massive password recovering in case of server corruption. The two players eventually agree on a common high entropy secret if and only if pw and v match together, and off-line dictionary attacks are prevented for third-party players. Our Results. We propose a new primitive that encompasses most of the previous notions of authenticated key exchange. It is closely related to CAKE and we call it LAKE, for Language-Authenticated Key-Exchange, since parties establish a common key if and only if they hold credentials that belong to specific (and possibly independent) languages. The definition of the primitive is more practice-oriented than the definition of CAKE