Design and Analysis of Group Key Exchange Protocols

Transcription

1 Design and Analysis of Group Key Exchange Protocols by Malakondayya Choudary Gorantla Bachelor of Technology (Comp. Sci.) (Andhra University) 2002 Master of Technology (Info. Tech.) (University of Hyderabad) 2005 Thesis submitted in accordance with the regulations for the Degree of Doctor of Philosophy Information Security Institute Faculty of Science and Technology Queensland University of Technology June 2010

2

3 Keywords Authenticated Key Exchange, Group Key Exchange, Forward Secrecy, Forward Security, Key Evolving, Key Compromise Impersonation Resilience, Mutual Authentication, Contributiveness, Universal Composability, Attribute-based Cryptography, Random Oracle model, Generic Group Model, Standard Model, Key Encapsulation Mechanism, Multi Key Encapsulation Mechanism i

4 ii

5 Abstract A group key exchange (GKE) protocol allows a set of parties to agree upon a common secret session key over a public network. In this thesis, we focus on designing efficient GKE protocols using public key techniques and appropriately revising security models for GKE protocols. For the purpose of modelling and analysing the security of GKE protocols we apply the widely accepted computational complexity approach. The contributions of the thesis to the area of GKE protocols are manifold. We propose the first GKE protocol that requires only one round of communication and is proven secure in the standard model. Our protocol is generically constructed from a key encapsulation mechanism (KEM). We also suggest an efficient KEM from the literature, which satisfies the underlying security notion, to instantiate the generic protocol. We then concentrate on enhancing the security of one-round GKE protocols. A new model of security for forward secure GKE protocols is introduced and a generic one-round GKE protocol with forward security is then presented. The security of this protocol is also proven in the standard model. We also propose an efficient forward secure encryption scheme that can be used to instantiate the generic GKE protocol. Our next contributions are to the security models of GKE protocols. We observe that the analysis of GKE protocols has not been as extensive as that of two-party key exchange protocols. Particularly, the security attribute of key compromise impersonation(kci) resilience has so far been ignored for GKE protocols. We model the security of GKE protocols addressing KCI attacks by both outsider and insider adversaries. We then show that a few existing protocols are not secure against KCI attacks. A new proof of security for an existing GKE protocol is given under the revised model assuming random oracles. Subsequently, we treat the security of GKE protocols in the universal composability (UC) framework. We present a new UC ideal functionality for GKE protocols capturing the security attribute of contributiveness. An existing protocol with minor revisions is then shown to realize our functionality in the random oracle model. Finally, we explore the possibility of constructing GKE protocols in the attribute-based setting. We introduce the concept of attribute-based group key exchange(ab-gke). A security model for AB-GKE and a one-round AB-GKE protocol satisfying our security notion are presented. The protocol is generically constructed from a new cryptographic primitive called encapsulation policy attribute-based KEM (EP-AB-KEM), which we introduce in this thesis. We also present a new EP-AB-KEM with a proof of security assuming generic groups and random oracles. The EP-AB-KEM can be used to instantiate our generic AB-GKE protocol. iii

6 iv

7 Contents Front Matter i Keywords i Abstract iii Table of Contents v List of Figures ix List of Tables xi Declaration xvii Previously Published Material xix Acknowledgements xxi 1 Introduction Key Exchange Research Objectives Outline Background Mathematical Background Bilinear Pairings Computational Assumptions Applications of Bilinear Pairings Provable Security Random Oracle Model Generic Group Model Proof Techniques Cryptographic Tools Hash Functions Pseudorandom Functions Public Key Encryption Digital Signature Two-party Key Exchange Security Goals Security Model for 2PKE Communication Model v

8 Adversarial Model Group Key Exchange Security Goals for GKE Protocols Dynamic Group Key Exchange Broadcast Channel Robustness Security Model for Group Key Exchange Communication Model Adversarial Model AKE-security Mutual Authentication Contributiveness Comparing the Security Models Research Problems Generic One-round Group Key Exchange in the Standard Model Introduction Key Encapsulation Mechanism Key Exchange from KEM Contributions Multi KEM Security Model for GKE Protocols AKE-security One-round GKE Protocol from mkem Proof of Security Instantiating the Protocol Achieving Forward Secrecy Security and Efficiency Comparison Summary One-round Group Key Exchange with Forward Security Introduction Forward Secrecy in One Round? Forward Security Contributions Related Work A Forward Secure Encryption Scheme Key Evolving Public Key Encryption Definitions of Security for ke-pke A Forward Secure Encryption Scheme with Constant-size Ciphertext Achieving fs-ind-cca Security Forward Secure Group Key Exchange Communication Model vi

9 4.3.2 Adversarial Model AKE-security Discussion One-round GKE Protocol with Forward Security A Protocol with Linear Complexity A One-round Forward Secure GKE Protocol Security Proof Comparison Summary Modelling KCI Attacks on GKE Protocols Introduction The Importance of KCIR for GKE Protocols Contributions Outsider KCIR Insider KCIR KCI Attacks on Existing GKE Protocols Security Model AKE-security Mutual Authentication KCI Attacks on Existing Protocols Boyd and González Nieto s Protocol Al-Riyami and Paterson s Protocol Bresson et al. s Protocol An Insider Secure GKE Protocol Achieving MA-security with Insider KCIR The Katz-Shin Compiler Security Proof Comparison Summary Universally Composable Contributory Group Key Exchange Introduction Contributiveness for GKE Protocols Contributiveness in the Presence of Honest Parties Contributiveness in the Presence of Insiders Group Key Exchange in the UC Framework Contributions Universally Composable GKE An Overview on the UC framework Katz-Shin s Functionality for GKE Universally Composable GKE with Contributiveness A GKE Functionality that Guarantees Contributiveness vii

10 6.4 Relation between Relaxed UC-security and Game-based Notions Review of Game-based Notions of Security for GKE AKE-security Mutual Authentication Contributiveness Relaxed UC-security Implies Existing Notions A Protocol that Realizes F + RGKE Security Analysis Comparison Conclusion Attribute-based Group Key Exchange Introduction Attribute-based Encryption Contributions Related Work Organization Encapsulation Policy Attribute-based KEM Security Model A Chosen Ciphertext Secure EP-AB-KEM Security Proof of the EP-AB-KEM Attribute-based Group Key Exchange Communication Model Adversarial Model AKE-security A Generic One-round AB-GKE Protocol Security Proof Security and Efficiency Comparison Summary Conclusion and Future Work Summary Future Directions A Ciphertext Policy Attribute-based Hybrid Encryption 147 A.1 CCA Security for CP-ABE Schemes A.2 CCA Security for DEM A.3 Hybrid CP-ABE Bibliography 153 viii

11 List of Figures 2.1 The Diffie Hellman Protocol Burmester and Desmedt s Protocol Boyd s Classification A Generic GKE Protocol from mkem Hiwatari et al. s IND-CCA Secure mkem Katz and Yung Compiler The Key Evolving Paradigm A Binary Tree Construction for N = A One-round GKE Protocol with Forward Security Improved Boyd-González Nieto Protocol TAK-3 Protocol of Al-Riyami and Paterson Bresson et al. s GKE protocol GKE Protocol of Bohli et al Katz and Shin Compiler Functionality F GKE F + RGKE : A GKE Functionality that Guarantees Contributiveness A Protocol that Realizes F + RGKE A Non-information Oracle N gke A Generic One-round AB-GKE Protocol ix

12 x

13 List of Tables 2.1 Comparison among Security Models for GKE Protocols Security and Efficiency Comparison among Existing GKE Protocols Security and Efficiency Comparison among Existing GKE Protocols Security and Efficiency Comparison among Existing GKE Protocols Security and Efficiency Comparison among Existing GKE Protocols Possible Query Types into G 1 from the Adversary Security and Efficiency Comparison among Existing AB-GKE Protocols xi

14 xii

15 List of Abbreviations 2PKE: Two-party Key Exchange ABE: Attribute-based Encryption AB-GKE: Attribute-based Group Key Exchange BTE: Binary Tree Encryption CA: Certifying Authority CCA: Chosen Ciphertext Attack CDH: Computational Diffie-Hellman CMA: Chosen Message Attack CP-ABE: Ciphertext Policy Attribute-based Encryption CPA: Chosen Plaintext Attack DDH: Decisional Diffie-Hellman DEM: Data Encapsulation Mechanism DLP: Discrete Logarithm Problem GKE: Group Key Exchange IBE: Identity-based Encryption ID-based: Identity-based IND-CCA Indistinguishability against Chosen Ciphertext Attacks IND-CPA Indistinguishability against Chosen Plaintext Attacks KCI: Key Compromise Impersonation KCIR: Key Compromise Impersonation Resilience KEM: Key Encapsulation Mechanism KP-ABE: Key Policy Attribute-based Encryption MAC: Message Authentication Code mkem: Multi Key Encapsulation Mechanism NIZK: Non-interactive Zero Knowledge PKG: Private Key Generator PPT: Probabilistic Polynomial Time suf-cma: Strong Existential Unforgeability under Chosen Message Attack UC: Universally Composable UF-CMA: Existential Unforgeability under Chosen Message Attack wbdhi: weak bilinear Diffie-Hellman inversion xiii

16 xiv

17 List of Notation G e G 0 G 1 N Z R Z p A cyclic group of prime order Bilinear pairing The base group of a bilinear pairing The target group of a bilinear pairing Membership of a set Set of all natural numbers Set of all integers Set of all real numbers Set of all integers modulo q, where q is a positive integer Z p R k The multiplicative group of Z p Assigning a value that is chosen uniformly chosen at random Security parameter {0,1} k Set of binary strings of length k {0,1} Set of binary strings of arbitrary length (but polynomial in k) τ Rejection symbol Time period xv

18 xvi

19 Declaration The work contained in this thesis has not been previously submitted for a degree or diploma at any higher education institution. To the best of my knowledge and belief, the thesis contains no material previously published or written by another person except where due reference is made. Signed:... Date:... xvii

20 xviii

21 Previously Published Material The following papers have been published or presented, and contain material based on the content of this thesis. 1. M. Choudary Gorantla, Colin Boyd and Juan Manuel González Nieto. One Round Group Key Exchange with Forward Security in the Standard Model. Cryptology eprint Archive, Report 2010/083, M. Choudary Gorantla, Colin Boyd and Juan Manuel González Nieto. Attribute-based Authenticated Key Exchange. In Ron Steinfeld and Philip Hawkes, editors, Information Security and Privacy, 15th Australasian Conference, ACISP 2010, volume 6168 of LNCS, pages Springer, Available at 3. M. Choudary Gorantla, Colin Boyd and Juan Manuel González Nieto. Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols. In Stanislaw Jarecki and Gene Tsudik, editors, Public Key Cryptography PKC 09, volume 5443 of LNCS, pages Springer, Available at 4. M. Choudary Gorantla, Colin Boyd, and Juan Manuel Gonzalez Nieto. Universally composable contributory group key exchange. In Wanqing Li, Willy Susilo, Udaya Kiran Tupakula, Reihaneh Safavi-Naini, and Vijay Varadharajan, editors, Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security ASIACCS 09, pages ACM, Available at 5. M. Choudary Gorantla, Colin Boyd, Juan Manuel González Nieto and Mark Manulis. Generic One Round Group Key Exchange in the Standard Model. In Dong Hoon Lee and Seokhie Hong, editors, 12th International Conference on Information Security and Cryptology ICISC 09, pages Springer, Available at xix

22 xx

23 Acknowledgements First of all, I thank my principal supervisor Dr. Juan Manuel González Nieto and associate supervisor Prof. Colin Boyd for their excellent guidance and continuous support over the last three years. Their strong encouragement and invaluable comments have been instrumental in shaping up the contents of this thesis. My special thanks to Colin for offering me a PhD position when I was passing the time in the IT wilderness. I wish to thank Prof. Erhan Kozan and Dr. Douglas Stebila for being part of the internal panel of my PhD defense seminar. Special thanks to Prof. Kenny Paterson for suggesting my name as a potential PhD candidate to Colin. I would like to thank Dr. Mark Manulis for his feedback on a few earlier drafts of my papers and on parts of this thesis. Mark is also a co-author of one of my publications and working with him has been rewarding. Thanks again to Douglas for his insightful comments on this thesis. I wish to thank Dr. Praveen Gauravaram for the numerous technical discussions we had, and Dr. Yvonne Cliff for sharing her notes on the universal composabilty framework with me. I wish to thank all the colleagues at the Information Security Institute who made working on my PhD enjoyable. They are: Mr. Hani Alzaid, Mr. Sajal Bhatia, Dr. James Birkett, Mr. Mark Branagan, Dr. Andrew Clark, Mr. Craig Costello, Prof. Ed Dawson, Dr. Ernest Foo, Dr. Marianne Hirschbichler, Mr. Huseyin Hisil, Ms. Roheena Khan, Ms. Lakshmi Kuppusamy, Mr. Georg Lippold, Dr. Adrian McCullagh, Mr. Long Ngo, Mr. Quan Pham, Mr. Ken Radke, Mr. Jothi Rangasamy, Dr. Jason Reid, Mr. Farzad Salim, Dr. Jason Smith, Mr. Donald Sun, Mr. Suriadi Suriadi, Mr. Sui Guan Teo, Dr. Suratose Tritilanunt, Mr. Muhammad Reza Z Aba. Special thanks to Ms. Illana Bradford, Ms. Elizabeth Hansford, Ms. Agatha Nucifora and Ms. Christine Kincaid for adimistrative assistance and Mr. Matt Bradford, Mr. Edward Chang, Mr. James Mackie and Mr. Gleb Sechenov for technical help. I have been very fortunate to meet some wonderful people over the last three years. I am grateful to Mr. Satish Shekar, Ms. Priyadarshini Satish and their little daughter Ms. Harshita Satish for hosting me for a majority of my stay in Brisbane. I would like to thank Satish, Priya, Harshita and the members of their extended family for their affection and support. I wish to thank Mr. Georg Lippold and Ms. Djamilia Omarova for inviting me to numerous dinners at their home. I am grateful to Mr. Jothi Rangasamy and Ms. Lakshmi Kuppusamy for their support over the past few months. I wish to thank Jaya Prakash, Chetan, Sushma, Pemm, Parvathy, King Chi, Sumal, Deepika, Venu, Kalam and Manoj for their friendship. Finally, I would like to thank my parents, brother, sisters and other members of my family for their unconditional love and support. xxi

24 xxii

25 Chapter 1 Introduction Historically, cryptography has been regarded as the study of message secrecy. However, modern cryptography is about providing several security services beyond secrecy. Goldreich [95] stated that (modern) cryptography could be viewed as concerned with the design of any system that needs to withstand malicious attempts to abuse it. In these days of ubiquitous connectivity to the Internet, it is necessary to view the system as operating in a highly distributed environment. The system may be abused by either a passive adversary eavesdropping on the network traffic or an active adversary manipulating the source or the contents of a message in transit. Moreover, these malicious attempts could come from any party internal or external to the system. Cryptography can largely be classified into two types: symmetric key and asymmetric key. In symmetric key cryptography (also called secret key cryptography), two parties share a common secret key. On the contrary, in asymmetric key cryptography (also called public key cryptography) there exist mathematically related public and private keys for each party. The public key is made available to all the other parties in the system, while the corresponding private key is kept secret. For asymmetric key cryptography to guarantee any form of security, it should be computationally infeasible for an adversary to recover a private key given the matching public key. Encryption is the basic cryptographic primitive that provides message secrecy. The parties in a symmetric key cryptosystem can establish a secret communication by using the shared key to both encrypt and decrypt messages. In public key cryptography the encryption mechanism can be realised as follows: a party A that wants to send a confidential message to another party B encrypts the message using the public key of B and sends the resulting ciphertext to B. On receiving the ciphertext, B applies its private key on it to extract the message. Digital signature is another important cryptographic primitive that can be realized only by asymmetric key cryptography. The purpose of a digital signature is to provide a means for a party to bind its identity to a piece of information. A party can accomplish this by generating its signature on a message using its own private key. The signature can be publicly verified by any party, using the matching public key. The objectives of modern cryptography, especially after the invention of public key cryp- 1

26 2 Chapter 1. Introduction tography, have been stretched beyond message secrecy. Menezes et al. [151, Chapter 1] (see also Boyd and Mathuria [41, Chapter 1]) identified the following four fundamental objectives that a cryptographic algorithm may achieve. Confidentiality ensures the data is available only to the authorised parties. It is usually achieved by encrypting the data so that it can be recovered only by parties with the correct decryption key. Data Integrity ensures that data has not been altered by unauthorised parties. To assure data integrity one must be able to detect data manipulation such as insertion, deletion and substitution by unauthorised parties. It can be achieved through the use of hash functions in combination with encryption, or by the use of a message authentication code. Authentication can be subdivided into two major classes: entity authentication and data origin authentication. Entity authentication ensures that two parties entering into a communication identify each other, whereas data origin authentication guarantees the origin of data. Note that data origin authentication implicitly provides data integrity and it can be achieved by the same mechanism as data integrity. Non-repudiation ensures that parties cannot deny their previous commitments or actions. It is typically provided using a digital signature mechanism. A trusted third party may also be involved to provide this objective. 1.1 Key Exchange Both symmetric key cryptography and asymmetric key cryptography have their own advantages and disadvantages. On one hand, symmetric key encryption algorithms are much faster than the computationally intensive asymmetric key encryption algorithms. On the other hand, symmetric key cryptography requires the parties to share a secret key before establishing a secure communication over an insecure channel, whereas public key cryptography requires no such prior establishment. The requirement in symmetric key cryptography that the parties must initially share a secret key may seem paradoxical since a party generating the shared key has to first securely distribute the key itself to the other parties. A cumbersome approach to solve this key distribution problem involves the parties arranging a physical meeting or using the services of a trusted courier. A better solution is to have a trusted third party called key distribution center (KDC) with which each party shares a symmetric key. The parties may then communicate between themselves by first executing a key distribution protocol to establish a shared key and then using it to encrypt the actual message. However, this solution still assumes the existence of a secure channel for the initial key sharing between each party and the KDC. Moreover, the KDC potentially becomes a single point of failure and it also has to be online all the time. Public key cryptography provides an elegant solution to the above key distribution problem. In the same work that introduced public key cryptography, Diffie and Hellman [81] also presented a cryptographic primitive called key exchange. Key exchange is an interactive protocol which enables two parties, who may not share any secret information, to establish a

27 1.2. Research Objectives 3 common secret key by communicating over a public channel. Of the four objectives of cryptographic algorithms discussed earlier, a key exchange protocol is generally not required to provide non-repudiation. The focus of this thesis is on key exchange protocols executed among a group of parties, called group key exchange (GKE) protocols. GKE protocols will have applications such as satellite TV, Internet video broadcasting, collaborative systems and video/audio conferencing. Each of these applications may have different requirements from the other. Some of the factors behind this variation in requirements include the environment in which these applications are deployed and the extent to which an adversary can abuse the applications in those environments. In this thesis, we concentrate on the design and analysis of GKE protocols considering different adversarial actions. The applications for different variants of GKE protocols that we discuss may be identified as per the security properties they achieve. 1.2 Research Objectives Our understanding of cryptographic protocols has greatly improved with the development of rich theory in the era of modern cryptography. This development owes much to the pioneering work of Goldwasser and Micali [98], which introduced the computational complexity approach to analysing cryptographic protocols. The approach involves first defining a notion of security for a cryptographic protocol and then reducing the security of the protocol to the presumed hardness of a computational problem. This approach is also known as provable security in the cryptographic literature. A cryptographic protocol can be designed either in an ad hoc manner or generically using other cryptographic components. The security of generic constructions is often intuitive to understand and easy to analyse since the security of the underlying constructs will have already been well studied. However, generic constructions may not always be as efficient as ad hoc constructions. In some cases, the sole purpose of pursuing an ad hoc approach can be for efficiency. A major part of this thesis uses the generic approach to designing GKE protocols. The generic protocols make use of the standard public key encryption and signature mechanisms. Interestingly, our constructions turn out to be more efficient than existing GKE protocols. We use the computational complexity approach to model and analyse security for GKE protocols proposed in the thesis. We also analyse a few existing GKE protocols based on the new security models that we introduce. Much of the thesis focuses on GKE protocols in the traditional public key setting i.e., assuming the existence of a public key infrastructure wherein the public keysofthe partiesarecertified byatrustedpartycalledacertifyingauthority. In the last chapter of the thesis, we introduce the concept of attribute-based group key exchange that can be seen as GKE in a public key based setting called attribute-based setting. Specifically, the research objectives of this thesis are as follows: 1. Explore the relation of GKE protocols with other cryptographic primitives for possible generic constructions. 2. Propose efficient GKE protocols without resorting to any idealised models.

28 4 Chapter 1. Introduction 3. Examine whether GKE protocols in the literature have been analysed as rigorously as twoparty key exchange protocols. Revise the security models of GKE protocols if necessary, and then check if existing GKE protocols will be secure under the revised notions. 4. Define a notion of security for GKE protocols in the universal composability framework, which is stronger than existing notion yet can be realized by efficient GKE protocols. 5. Extend the concept of GKE to other public key settings. 1.3 Outline The organization and main contributions of the thesis are as follows: Chapter 2: This chapter contains background material that will be useful to understand the rest of the thesis. We first describe a few intractability assumptions. Using the computational complexity approach we analyse the proposed GKE protocols by reducing their security to the computational hardness of these intractability assumptions in later chapters. We then give an overview on provable security and approaches to defining and analysing security of cryptographic protocols. We also describe the security definitions considered for public key encryptions and signature schemes. Finally, we review the security models for GKE protocols and then identify research gaps that we address in this thesis. Chapter 3: This chapter presents a new GKE protocol using the generic approach. The security of the GKE protocol is reduced to a standard notion of security for public key encryption mechanism. The protocol has minimal communication complexity and its security is proven without assuming any ideal models. The contents of this chapter have appeared in the following publication. M. Choudary Gorantla, Colin Boyd, Juan Manuel González Nieto and Mark Manulis. Generic One Round Group Key Exchange in the Standard Model. In Dong Hoon Lee and Seokhie Hong, editors, 12th International Conference on Information Security and Cryptology ICISC 09, pages Springer, Available at Chapter 4: This chapter is on forward secrecy, an important attribute considered while analysing the security of GKE protocols. We present a new GKE protocol that has the same communication efficiency as the protocol in the previous chapter, yet provides additional security assurance. The protocol achieves a variant of forward secrecy that is known as forward security in the literature. For the purpose of instantiating the protocol, we also propose a new forward secure encryption scheme. The contents of this chapter have appeared in the following manuscript. M. Choudary Gorantla, Colin Boyd and Juan Manuel González Nieto. One Round Group Key Exchange with Forward Security in the Standard Model. Cryptology eprint Archive, Report 2010/083,

29 1.3. Outline 5 Chapter 5: In this chapter, we model another security attribute called key compromise impersonation resilience (KCIR) for the first time for GKE protocols. We explain the importance of KCIR for GKE protocols and then revise the existing notions of security for GKE protocols, considering KCIR. We also show that a few of the existing GKE protocols do not satisfy our new notions. Finally, we give a new proof of security for an existing GKE protocol under our security notions. Most of the material in this chapter is from the following publication. M. Choudary Gorantla, Colin Boyd and Juan Manuel González Nieto. Modeling Key Compromise Impersonation Attacks on Group Key Exchange Protocols. In Stanislaw Jarecki and Gene Tsudik, editors, Public Key Cryptography PKC 09, volume 5443 of LNCS, pages Springer, Definition 5.2 and the idea behind Section 5.5 are from the following publication. M. Choudary Gorantla, Colin Boyd, Juan Manuel González Nieto and Mark Manulis. Generic One Round Group Key Exchange in the Standard Model. In 12th International Conference on Information Security and Cryptology ICISC 09. Springer, Available at Chapter 6: This chapter focuses on yet another security attribute for GKE protocols, called contributiveness. The security notion is defined in a framework that is different to the one considered in earlier chapters. This framework called, universal composability (UC), gives the additional assurance that a protocol analysed under it can be executed in an arbitrary environment. We revise an existing GKE protocol and prove its security under our new notion. The contents of this chapter have appeared in the following publication. M. Choudary Gorantla, Colin Boyd, and Juan Manuel González Nieto. Universally composable contributory group key exchange. In Wanqing Li, Willy Susilo, Udaya Kiran Tupakula, Reihaneh Safavi-Naini, and Vijay Varadharajan, editors, Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security ASIACCS 09, pages ACM, Chapter 7: In this chapter, we introduce the concept of attribute-based group key exchange (AB-GKE). We model the security of AB-GKE based on the existing models of security for GKE protocols. A generic AB-GKE protocol is also proposed based on attribute-based encryption techniques. For the purpose of instantiating the protocol, we also present a new attribute-based encryption mechanism. The contents of this chapter have appeared in the following manuscript. M. Choudary Gorantla, Colin Boyd and Juan Manuel González Nieto. Attributebased Authenticated Key Exchange. In Ron Steinfeld and Philip Hawkes, editors,

30 6 Chapter 1. Introduction Information Security and Privacy, 15th Australasian Conference, ACISP 2010, volume 6168 of LNCS, pages Springer, Available at Chapter 8: We finally summarise the contributions of the thesis in this chapter. A few open problems and possible research directions are also discussed.

31 Chapter 2 Background In this chapter, we describe several background concepts that help in understanding the rest of the thesis. We first briefly describe the mathematical constructs called bilinear pairings which will be used to design some of the protocols in the later chapters. We then review a few computational assumptions on which the security of the protocols analysed in the thesis will depend. An overview on the approach we adopt to analyse the security of GKE protocols is then presented. We then briefly review the cryptographic tools, which will be used in the design of GKE protocols in this thesis. Before moving on to the main contributions, we briefly pause to explain the informal security goals of GKE protocols and give an overview of their formal security models. 2.1 Mathematical Background Throughout the thesis, we assume that all the parties (including the adversary) involved in a cryptographic protocol are probabilistic polynomial-time (PPT) algorithms. We now define negligible function which is useful in measuring the adversary s advantage against a cryptographic algorithm or a computationally hard problem. Definition 2.1 (Negligible [95]). We call a function µ : N R negligible if for every positive polynomial p( ) there exists an N such that for all k > N µ(k) < 1 p(k) Informally, an event is negligible in a variable k if it happens with a probability that is less than the inverse of any polynomial in k. The advantage of an adversary against a hard problem or a cryptographic algorithm is deemed negligible if the advantage is negligible in the given security parameter k. A typical security parameter for a cryptographic algorithm is the length of the key employed by it. 7

32 8 Chapter 2. Background Bilinear Pairings Let G 0 andg 1 be twomultiplicativegroupsofprimeorderpandlet g be an arbitrarygenerator of G 0. The pairing e : G 0 G 0 G 1 is called an admissible bilinear map if it has the following properties: Bilinearity: u,v G 0 and a,b Z, we have e(u a,v b ) = e(u,v) ab Non-degeneracy: e(g, g) 1 Computable: There exists an efficient algorithm to compute e(g, g) The bilinear pairing type that we described above is called symmetric pairing, where the two base groups are the same. We can also have an asymmetric bilinear pairing, wherein the base groups are different i.e., e : G 1 G 2 G T and there may exist an efficiently computable isomorphism ψ : G 2 G 1. Bilinear pairings (both symmetric and asymmetric) can be realized over elliptic curves. The base groups are generally the subgroups of an additive group formed by points over an elliptic curve, while the target group G 1 is a multiplicative subgroup of an extension field. We refer the reader to Galbraith et al. [91] for an introduction to types of bilinear pairings and to Galbraith [90] for a comprehensive overview Computational Assumptions We now describe some computational assumptions which form the basis of security for the GKE protocols that we describe in the later chapters. Discrete Logarithm Assumption Let G be a cyclic group of prime order p and let g be an arbitrary generator of G. The discrete logarithm of g a G to the base g is the unique integer a Z p. The discrete logarithm problem (DLP) is computing the discrete logarithm of g a to the base g, given a random instance (g,g a ). We say that the discrete logarithm assumption holds in G if for all PPT algorithms, the probability of solving the DLP in G is negligible in a given security parameter k. Computational Diffie-Hellman (CDH) Assumption Let G, g, p be as described above. The CDH problem is to compute g ab given a random instance (g,g a,g b ) for a,b Z p. We say that the CDH assumptions hold in G if for all PPT algorithms, the probability of solving the CDH problem is negligible in a given security parameter k. Note that the hardness of the CDH problem entails that of the DLP. Decisional Diffie-Hellman (DDH) Assumption Let G, g, p be as described above. Consider the following two distributions: DH G = {(g,g a,g b,g ab ) for a,b R Z p } and R G = {(g,g a,g b,g c ) for a,b,c R Z p }

33 2.1. Mathematical Background 9 We say that DDH assumption holds in G if for all PPT algorithms A ddh, the advantage of A ddh in distinguishing the distributions DH G and R G given as AdvDDH A ddh(k) = Pr[A ddh (k,ρ) = 1 ρ R DH G ] Pr[A ddh (k,ρ) = 1 ρ R R G ] is negligible in k. Weak BDHI Assumption Boneh et al. [32] introduced a weaker variation of the l-th bilinear Diffie-Hellman inversion problem (l-bdhi) [30], called weak bilinear Diffie-Hellman inversion problem and denoted by l-wbdhi. It is as follows: Let g and h be two random generators of G 0. Let α be a random number in Z p. The l-wbdhi problem is defined as: l-wbdhi: given g,h,g α,g (α2),...,g (αl) compute e(g,h) 1/α Boneh et al. also defined another problem l-wbdhi which is equivalent to l-wbdhi in linear time reduction. l-wbdhi : given g,h,g α,g (α2),...,g (αl) compute e(g,h) (αl+1 ) We say that the l-wbdhi and/or l-wbdhi assumptions hold in G 0 if for all PPT algorithms, the probability of solving these problems is negligible in k. Decisional l-wbdhi Assumption Thedecisionalvariantofl-wBDHI problemisdefined as follows: Consider the following distributions P wbdhi = {(g,h,g α,g (α2),...,g (αl),e(g,h) (αl+1) ) for g,h G 0,α Z p} R wbdhi = {(g,h,g α,g (α2),...,g (αl),t) for g,h G 0,α Z p T G 1 } We say that the decisional l-wbdhi assumption holds in G 0 if for all PPT algorithms, the advantage in distinguishing the distributions P wbdhi and R wbdhi given as is negligible in k. [ ] [ Pr B(k,ρ) = 1 ρ R P wbdhi Pr B(k,ρ) = 1 ρ R R wbdhi ] Applications of Bilinear Pairings Bilinear pairings over elliptic curves have found very surprising cryptographic applications in two different ways. Initially, the MOV attack [149] and the FR attack [86] used bilinear pairings to reduce the DLP over elliptic curves to the DLP in a finite field. Later, cryptography has witnessed an explosive trend ever since Joux [121] found a constructive application using bilinear pairings. Joux used bilinear pairings to construct a one-round tripartite key exchange protocol. Later, bilinear maps have been instrumental in realizing non-interactive key agreement [165], efficient identity based encryption schemes [30, 34], short signatures [36], forward

34 10 Chapter 2. Background secure encryption [57] and many other cryptographic constructions [3, 9, 25, 32, 105, 106] that may not have been conceived otherwise. 2.2 Provable Security Any cryptographic protocol is expected to achieve some security goals. Once a protocol has been designed, it has to be analysed for the purported security goals. An earlier approach to analysing a cryptographic protocol involved listing out all the relevant known attacks and then checking whether the algorithm in question was secure against each of them. While such an analysis should preempt all the known attacks, there is always a possibility of the algorithm designer either overlooking some subtle attacks or not anticipating newer ones. This has been evident through the numerous broken cryptographic protocols in the literature. A cryptographic protocol with information theoretic or unconditional security[168] guarantees its security goals even in the face of an adversary with unlimited computational resources. Although this strongest form of security is very attractive, many information theoretic cryptographic protocols have severe practical limitations [148, 168]. Hence, in general the goal of a practical cryptographic protocol is to guarantee the desired security goals in the presence of a realistic adversary who is computationally limited (e.g. a PPT algorithm). Goldwasser and Micali [98] pioneered the computational complexity approach to analysing the security of cryptographic protocols. This approach involves first defining what constitutes a cryptographic algorithm. An adversarial model, which specifies the capabilities and goals of the adversary, is then defined. Finally, a reductionist argument is applied to show that if the cryptographic algorithm is insecure then it can be used as a blackbox to solve a presumably hard computational problem. In this thesis, we employ the computational complexity approach to prove the security of GKE protocols. In modern cryptography, a security proof is viewed as an important and necessary attribute for a cryptographic protocol. A security proof carries a high assurance about the security of a cryptographic protocol. However, one should be careful about what the proof implies. Specifically, the security proofs are valid under the stated assumptions and specific security models. We refer to Bellare [13], Pointcheval [161], Koblitz and Menezes [135, 136] and Damgard [74] for a balanced view on the necessity of computational proofs of security for cryptographic protocols. As described above, a crucial step in analysing the security of a cryptographic protocol is defining a suitable security model. The appropriateness of the security model depends on how well it captures the adversarial actions in the real world. Note that a cryptographic protocol can have many flavoursof security model based on the security goals it aims to achieve. Hence, there may not be the right model of security for a cryptographic protocol. We now briefly discuss two approaches to defining security models that we follow in this thesis. Game-based Definitions. A very popular way of defining security models is by letting an abstract adversary play a game with an imaginary challenger. The adversary is allowed to issue queries to oracles, which model information leakage by various real world attacks. The challenger answers these queries as responses of the corresponding oracles. Eventually, the

35 2.2. Provable Security 11 challenger gives a challenge to the adversary. If the adversary is successful in solving the challenge (with non-negligible advantage), then the protocol is deemed insecure in that specific security model. The appropriateness of a game-based notion of security depends on how well the oracles represent the real world adversarial actions. On the other hand, the validity of a security proof under a game-based notion depends on how well the challenger can simulate answers to the adversary s queries. Universal Composability Framework. An alternative approach to defining security notions is by using the universal composability (UC) framework [55]. As the name hints, a protocol proven secure in the UC framework guarantees its security even if the protocol is executed in an arbitrary environment. This additional assurance is not guaranteed by the game-based definitions which consider only a stand-alone setting. We discuss more on the UC framework in Chapter 6. In security proofs, it is often necessary to assume some ideal models to prove the security of a cryptographic protocol. While these ideal assumptions cannot be realized, they nevertheless assure that the protocol has no inherent weaknesses. A security proof without assuming these ideal assumptions is said to have been carried out in the standard model. It is highly desirable to prove the security of a protocol in the standard model. However, providing a security proof in the standard model has often turned out to be a tricky task. Consequently, there are very few cryptographic constructions in the literature which have been proven secure in the standard model. Furthermore, cryptographic protocols with proofs of security in the idealised models have so far turned out to be lot more efficient than the corresponding protocols with security proven in the standard model. Below, we briefly review two of the ideal models that we assume in some of the later chapters of the thesis Random Oracle Model A very popular ideal model assumed in the security proofs of cryptographic protocols is the random oracle model. This model was first used by Fiat and Shamir [84] (though it was not called random oracle) and later formalised by Bellare and Rogaway [22]. The model assumes that there exists a public oracle H, which can implement a truly random function. All the parties, including the adversary can issue queries x to H and receive a response H(x). However, the inputs to the oracle are private such that if a party obtains H(x) by querying x to H, no external adversary can see x. A truly random function can be constructed from such an oracle as follows: H maintains a list of pairs (x,y) such that y = H(x). The list is initialized to empty. When a query is issued with an input x, it searches through the list to see if it has already been queried. If so, it returns the response that it has given earlier. Otherwise, it selects y uniformly at random, returns y to the party and stores (x,y) in the list. In practice, the random oracles assumed in the cryptographic proofs of a protocol would be instantiated with cryptographic hash functions like MD5 or SHA-1. Note that proofs in this model assure that the overall design of the protocol is secure under a specific adversarial model given that the hash function has no weakness. Hence, if there was an attack by exploiting

36 12 Chapter 2. Background some specific features of the hash function, the protocol could still be used by instantiating the random oracle with another cryptographic hash function. The random oracle model has been at the center of a major debate in cryptography [96, 133,136]. The negative results by Canetti et al. [56], Nielsen [154] and Bellare et al. [15] show that there exist cryptographic constructions which are secure in the random oracle model but do become insecure in the real world when the random oracle is instantiated with any cryptographic hash function. However, as remarked by Pointcheval [161], these counter-examples either have counter-intuitive constructions or artificial security notions. Despite the controversy, the random oracle model continues to attract the attention of the cryptographic community. Interestingly, constructions secure in the random oracle model [34,36] have often been stepping stones to their standard model counterparts [31, 94] Generic Group Model Another important tool used in cryptographic proofs is the generic group model introduced by Shoup [169]. The generic group model assumes the existence of oracles to randomly encode elements of a group and to perform group operations between the elements of the group given their corresponding encodings. There may be additional oracles performing inter-group operations (e.g., bilinear pairing computation). The generic group model is particularly useful to establish lower bounds on the difficulty of breaking computationally hard problems. Note that analyses in the generic group model do not take into account the specific representation of the underlying group. Hence, the lower bounds established in assuming generic groups do not imply a lower bound in any specific group [32]. The generic group model suffers from similar problems to the random oracle model. In particular, Dent [75] showed that there exist cryptographic constructions secure in the generic group model, but become insecure for any specific representation of the group. We refer the reader to Koblitz and Menezes [134] for a discussion on this model Proof Techniques Analysing cryptographic protocols using the computational complexity approach is often very complicated. A cryptographic protocol may rely on several presumably hard computational assumptions and there may also exist many underlying cryptographic tools. A proof of security for the protocol should reduce the security of the protocol to the hardness or security of the underlying assumptions or tools respectively. For this purpose, we use the sequence of games technique employed for proving the security of cryptographic constructions [23, 78, 127, 170]. By applying this technique the security arguments in a proof can be organized in a sequence, which otherwise may look cluttered. In a proof employing the sequence of games technique, we start with the original security game between the adversary and the simulator which simulates the attack environment for the adversary as per the corresponding security notion. We then alter the environment step by step until we can estimate the success probability of the adversary against the protocol. We compute the upper bound on the increase in success probability of the adversary when