Get documents about "agenda - PDF
Description
agenda
Document Sample
2007-12-25 Cryptographic Protocol Composition: Theory and Applications Yunlei Zhao Fudan University ITCS, Tsinghua University Agenda Brief Introduction Cryptographic protocols over Internet Deniable Internet Key-Exchange Yunlei Zhao Tsinghua-CUHK Workshop 1 2007-12-25 Brief Introductions An invited talk given by Shafi Goldwasser at FOCS 97, with the title: h h l New directions in cryptography: twenty some years later (or cryptography and complexity theory: a match made in heaven) Yunlei Zhao Tsinghua-CUHK Workshop Keynotes of Goldwasser’s Talk The most significant progress in the field of modern cryptography in the last two decades d h h l d d is to base cryptography onto computational complexity theory. It’s computational complexity theory that brings cryptography from art into rigorous science. Yunlei Zhao Tsinghua-CUHK Workshop 2 2007-12-25 The successful interplay between complexity theory and cryptography, witnessed perhaps h d h d h most vividly by the developments with: pseudorandomness, interactive and zeroknowledge proof, PCP …. New direction at 1997: Composition of cryptographic systems, … Yunlei Zhao Tsinghua-CUHK Workshop Cryptographic protocols over Internet --Started with concurrent ZK in STOC98, shortly ft Goldwasser’s invit d talk t sh tl after G ld ss ’s invited t lk at FOCS97 Yunlei Zhao Tsinghua-CUHK Workshop 3 2007-12-25 Zero-Knowledge: ZK Yunlei Zhao Tsinghua-CUHK Workshop By now, zero-knowledge has been playing y , g p y g central role in the modern cryptography, a and has found important applications in almost all branches of modern cryptography. Test-bed of (advanced) cryptography theory. Yunlei Zhao Tsinghua-CUHK Workshop 4 2007-12-25 Crypto Protocols over Internet Yunlei Zhao Tsinghua-CUHK Workshop Source: www.vpn-technology.com Three Types of Security Concerns for ZK over Internet 1. Concurrent zero-knowledge (concurrent prover security); 2. Concurrent soundness and knowledge extraction (concurrent verifier security); 3. 3 concurrent non-malleability (concurrent channel non malleability security); Yunlei Zhao Tsinghua-CUHK Workshop 5 2007-12-25 Concurrent prover security: CZK Yunlei Zhao Tsinghua-CUHK Workshop Concurrent knowledge-extraction in the Public-Key Model How to ensure an adversary does know what it claims to know, when transactions are conducted concurrently over Internet? Yung-Zhao, TCC06 y g Verifier(PK) Malicious Prover Verifier(PK) Verifier(PK) •Concurrent Knowledgeds-Extractability (Yao, Yung and Zhao,Eurocrypt07, ECCC07). •Security formulation: KEI knowledge-extraction independence. How to formulate KEI? •Protocol implementations: general and practical, list of subtleties, novel paradigm Yunlei Zhao Tsinghua-CUHK Workshop 6 2007-12-25 Traditional Non-malleability (NM) •Traditional NM refers to the channel security between two honest players in a stand-alone execution of the protocol. h t l i t d l ti f th t l •Original motivation for PKE-NM2=PKE-CCA2 c=gvhr c*=c2=g2vh2r •NM means either (Right transcript=left transcript) or (right transcript is independent of left transcript) for any PPT adversary. Yunlei Zhao Tsinghua-CUHK Workshop Concurrent Non-Malleability: Channel Security over Internet Concurrent composition of the same protocol Yunlei Zhao Tsinghua-CUHK Workshop 7 2007-12-25 CNM from CRS to BPK: Yao, Yao, Zhao Previous CNM are based on Common Random String (CRS) model, assuming t st d thi d party d l ss i trusted third t We build up CNM cryptography in the weakest Bare Public-Key model in general, where particularly no trusted third party is assumed. Reformulate CNM in the public-key model Constant round Constant-round CNM coin-tossing coin tossing Yunlei Zhao Tsinghua-CUHK Workshop Universal Composition (UC) Aimed for the ultimate security goal of protocol composition. composition Whatever can do by a concurrent man-in-the-middle over Internet, can be simulated by a PPT simulator against an idealized functionality The formulation is extremely abstract, complicated, uneasy to work with … Widely acclaimed … But, the interpretation of precise security guarantee turns out to be itself very subtle… Yunlei Zhao Tsinghua-CUHK Workshop 8 2007-12-25 Precise Interpretation of UC [YYZ07,CDPW07,YYZ07] UC environment Generalized UC (GUC) Full UC (FUC) Yunlei Zhao Tsinghua-CUHK Workshop Deniable Internet Key-Exchange Yunlei Zhao Tsinghua-CUHK Workshop 9 2007-12-25 Diffie-Hellman Key-Exchange (DHKE) [DH’76] A A, gx B B, gy • both b th parties compute th secret key K=gxy ti t the tk K • assumes authenticated channels (DDH assumption) • open to m-i-t-m in a realistic unauthenticated setting Yunlei Zhao Tsinghua-CUHK Workshop Key-exchange (KE) is a long-tradition and fundamental area of cryptography f d l f h At the root of public-key cryptography But, also a quite special area of cryptography: seemingly simple yet extremely error prone and can be notor ous y su t e! e notoriously subtle! Motivated for formulating frameworks for provable security of KE Yunlei Zhao Tsinghua-CUHK Workshop 10 2007-12-25 Frameworks for Key-Exchange over Internet Bellare, Rogaway, Crypto93 Bellare, Canetti and Krawczyk, STOC98 Canetti and Krawczyk, Eurocrypt01 Canetti and Krawczyk, Crypto02 And more more… Yunlei Zhao Tsinghua-CUHK Workshop The notorious situation of KE All frameworks turn out to be insufficient: some very essential security properties of KE l f E are not captured. How to correctly formulate the security of DHKE turns out to be a quite debatable issue. One of the main sources of the recent hot arguments about the value of provable security Yunlei Zhao Tsinghua-CUHK Workshop 11 2007-12-25 A New Framework for Diffie-Hellman Protocols The YYZ new framework, for both security and privacy of DHKE f DHKE. Core security: tag-based robust non-malleability. Implication of all known essential security properties of KE: The first framework of so robust security implications i li ti Guiding the design of Deniable IKE: add novel characteristics and real value to IKEv2 and SSH, etc Yunlei Zhao Tsinghua-CUHK Workshop SIGMA and Internet Key-Exchange IKEv2 A gx gy A, SIGA (0,gy,gx), MACKm (0,A) B, B SIGB (1 gx,gy) MACKm(1 B) (1, ), (1,B) •The core cryptographic protocol to ensure Internet security • The core of Internet Protocol Security (IPsec) standards B Yunlei Zhao Tsinghua-CUHK Workshop 12 2007-12-25 YYZ Deniable IKE Public-key: User A has public-key ga, B has public-key gb. Actual Implementation Natural language interpretation A sid, X=gx Sid, B, Y=gy, NMZK ( B , y ) = MACH ( sid ,Y , X , X y ) ( B ) B I wanna have a session with DH component X Ok, Y ``is sent by B” who knows y sid, A sid NMZK ( a , x ) = MACH ( sid , X ,Y ,Y a ,Y x ) ( A) NMZK ( b, y ) = MACH ( sid ,Y , X , X b , X y ) ( B) Well, I TRULY know (a,x) I TRULY know (b, y) as well Features: Security & Privacy Preserving •Post-specified-peer: messages from one party do not include its peers’s ID and public-key •Concurrent and forward deniability: Authentic message from one party can be computed merely from its peer’s ephemeral DH exponent, i.e., x or y •The beauty of deniable IKE: (1) subsequent deniability; (2) Critical IP-layer deniability •CNM/UC ZK authentic binding: conceptual simplicity and clarity •Provable security in YYZ framework: implications of all known security properties, much beyond the CK-framework •Deniable proof-of-knowledge vs signatures: more practical and also more secure! •Compatability with SIGMA and HMQV, Yunlei Zhao Tsinghua-CUHK Workshop Applications and Implications SSH Universal composable and deniable MessageAuthenticator PKI On-line key-registration with proof-ofknowledge (of secret-key) Yunlei Zhao Tsinghua-CUHK Workshop 13 2007-12-25 Candidate for IKEv3? Design rationales: Conceptual simple and clear Guided by the YYZ framework for secure and privacy-preserving DHKE More practical than SIGMA and IKEv2 More secure than SIGMA and IKEv2 Salient advantageous privacy protection: a major concern for the next generation of IKE But, standardization may not merely based on technical reasons! Yunlei Zhao Tsinghua-CUHK Workshop And one truly last word… ThAnKs ☺ Yunlei Zhao Tsinghua-CUHK Workshop 14
